When running Policy Server for the Federation journey, how can the incoming NameID value be modified? Policy Server is IdP side.
Policy Server as IdP has a feature to customize the Assertion Generator. When configuring the Partnership in the AdminUI, on the "Assertion Configuration" tab, there's a section at the bottom called "Assertion Generator Plug-in" where an indication of where to find your Custom Assertion Generator can be defined.
A sample of the Custom Assertion Generator in the SDK installation can be found to guide the implementation.
On Linux installation to illustrate this:
/{home_sdk}/samples/assertiongeneratorplugin
AssertionSample.java
/**
* Change saml:NameIdentifier Format for Authentication statement from "uid" to "email"
*/
protected boolean ChangeAuthAttribute(Document assertionDoc) throws Exception {
// Get the node iterator for the XPath
Node xRoot = assertionDoc.getDocumentElement();
[...omitted for brevity...]
// Get the current user's path, it is UserDN as this user is authenticated.
String userDN = userContext.getProp("SM_USERNAME");
apiContext.trace("Sample Assertion Plugin", "Retrieved user dn from userContext: " + userDN);
// You can also get the userDN by userContext.getUserName
apiContext.trace("Sample Assertion Plugin", "Another way to retrieve user dn from userContext: " + userContext.getUserName());
// Do the user mapping here.
// You can do some engineering work on the current user's DN
// or you can compose the mapped user DN with current user's uid, which can be retrieved via userContext.getProp("uid")
// Get the user's email attribute,
// if user is the mapped user which is different from the current one,
// please add "<SMUNRELATEDDN>" prefix string for the input DN.
String email = userContext.getDnProp("<SMUNRELATEDDN>" + userDN, "mail");
apiContext.trace("Sample Assertion Plugin", "Retrieved user email from userContext: " + email);
Refer to the documentation on how to implement it (1).