[keycloak-dev] SAML users should not be identified by SAML:NameID

Hello, Seems like Keycloak always uses the saml:NameID to identify a SAML user. In org.keycloak.broker.saml.SAMLEndpoint we see: BrokeredIdentityContext identity = new BrokeredIdentityContext(subjectNameID.getValue()); ... identity.setUsername(subjectNameID.getValue()); However this is not a good practice, see recommendations here: https://kantarainitiative.github.io/SAMLprofiles/saml2int.html *SPs MUST NOT require the presence of a <saml:NameID> element and MUST NOT rely on the content of this element for long term identification of subjects; <saml:Attribute> elements MUST be used for this purpose in the *manner detailed below. IMO, Keycloak should provide a field when configuring an iDP to choose the custom attribute to "identify" a user. This can be mail attribute for example (urn:oid:0.9.2342.19200300.100.1.3). But should not take this information from saml:NameID Is there anyway to override this in Keycloak? Should I create a JIRA issue? Best regards, Daniel Teixeira