I have a need to construct a nameID using urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress format but actually based on a kerberos principal. This is to satisfy an SP that wants an emailAddress for the NameID, but need to present one that is immutable since users can change their primary email address.
Putting aside the why for now...my problem is that the desired NameID strips off the domain portion of the value.
I have built a new attribute on which the new nameID is based:
Why in the first instance is the domain portion being removed? Wouldn't the NameID attribute processing simply take whatever is defined by the source attribute? Or does it process farther down to the original source-of-the-source?