The Windows SSO authenticate and return the user principal as was given in the Kerberos ticket. There is option to return this value as user@REALM or user (extracting the name from the kerberos GSS ticket)
However the issue is that one may authenticate to Kerberos in mixed case and so the userPrincipal taken from the ticket may be USER or user (depending what is done on the kerberos environment (or one kinit)).
Here's a sample kerberos Java debug
where the actual AD UPN or sAMAAccountName is "winguest" but the kinit is done to create the following TGT
It would be good to have the WSSO module canonize of either a known field. Although there is a setting to check for the user is in the profile, the UserPrincipal set by WSSO module in the above case is WinGUEST and there is no use name remapping or treatment.
This feature is more like what Hadoop's Kerberos where it has in user name mapping.
WHY is THIS IMPORTANT
When WSSO is used as part of an OIDC, a wrong UserPrincipal may be used due to wrong case and mixed case. which causes issues in
OAuth introspect endpoint returns user_id and sub with mixed case
and also similar to
"OIDC token generated with datastore module takes case from request rather than from the datastore"
Create a custom WSSO module or
if OIDC see
OPENAM-7878 Add functionality to modify the sub at the module level to override the clientID setting