Motivation

When the IdP sends the username into an attribute instead of using the NameID, even if the screenName is properly mapped to this attribute, Liferay looks for the user into the users list using the NameID.

This happens, for example when transient or persistent NameID formats are used. They generates ID which format are not compatible with the screenName format, so they can't be used as screenName, and the mapping only works to create the user, but not to check if the user exists.

Steps to reproduce:

1. Use an IdP which allows transient format for Name ID
2. Map screenName = <attribute_that_contains_username>
3. Log in -> The user will be created and user's data looks fine
4. Log out
5. Log in again with the same user
6. You'll get this error: 
   ERROR [http-nio2-8080-exec-36][WebSsoProfileImpl:809] Screen name <your_user_name> must not be duplicate but is already used by user <user_id>

Feature request:

The background reason why the transient mode is not working, may be that we don't provide the option to map the screen name with another attribute that differs from the Name ID (well, actually we provide it but it doesn't work). So If we provide a configuration checkbox to do this, or if we detect automatically that the screen name is mapped, then we should check if the user exists using this value instead of the Name ID. This automatically will solve the transient and other NameId modes supported in SAML2.

Acceptance Criteria

1. As an Instance Administrator, I want a SAML assertion attribute to be mapped to screenName even if it differs from NameID to prevent having screen name mapping related duplication error.