Users can now extend the SAML2AuthenticationHandler and perform any additional logic right after the assertion is created by the IdP.
In this case, you can use a custom handler to change the NameID.