...
- Normalizing the authenticated Subject into a simple username (referred to as "post-login" canonicalization, see also AuthenticationConfiguration)
- Mapping a SAML 1
<NameIdentifier>or SAML 2<NameID>element into a simple username (referred to as NameID consumption, see also NameIDConsumptionConfiguration)
Even though these are wildly different use cases, the same basic process is used to orchestrate the work. The difference arises from the specific subflows used by the master c14n subflow to do the actual work. The design will accomodate any future use cases in which something that's not necessarily a (single) string has to be turned into a username that is a string to match against the internal representation of users in an organization's systems.
...