We have an application protected with Web Agent/WAOP, so when the users login through Federation (SP initiated) we do see the SM_USER header is being set to the UniversalID. However, if the users login directly (without Federation on SSO side) then the SM_USER header is set to user login ID.
How Federation Authentication fill the SM_USER header ?
When the request is coming to the SP, the user identity is already authenticated in IDP side, and to pass this to the SP side for validation, it is done with the attributes included in the assertion. This is configured in the partnership settings. You may check in your current partnership (SP side) to check in the User Identification section which Identity Attribute is being obtained from the Assertion, and how it is being mapped to your current User Directories. You may choose a different attribute here as well.
In AdminUI, you can go to Federation > Partnerships > Modify your partnership > Go to step 2 (User Identification), and review the current settings to see which is being used to set the SM_USER afterwards
By default it is set to use the NameID in the assertion, and then it use the UniversalID attribute set in the User Directory used to set the SM_USER header.