...
The examples at the top of the oidc-attribute-resolver.xml file demonstrate a couple of different approaches to "sub" claim generation. You may save some time by importing the example file into your resolver service resources via conf/services.xml but may need to comment or remove some of the other examples. Alternatively just add the new XML declarations in the root element to your own resolver configuration and copy the parts you need. Note that because the "sub" claim is unusual, there are no default transcoding rules for it, and dedicated, OIDC-specific <AttributeEncoder> elements should be are attached to produce the proper claim name. It’s certainly possible to do so with transcoding rules if preferred.
A recommended strategy is one in which the public "sub" variant is produced by slapping a scope suffix on the end of a value you use for stable identification of your user population, such as an IDM-assigned serial number, employee/student/guest ID, etc. The pairwise variant is a salted hash of this same underlying value.
...
The examples supplied rely on a handful of properties in conf/oidc.properties to set some of the important input values
...