Hello Kristof, I am assuming you're using the bundled openid_connect frontend that works through the pyop library. The process to configure the frontend to generate an identifier that is mirroring an attribute value is a bit involved as by default the frontend is hashing the given sub value. Note that pyop is not actively being developed anymore and focus has switched towards the "idpy-oidc" library (https://github.com/IdentityPython/idpy-oidc/) New frontends are being developed using that library and may at some point be merged on the repo. See for example: https://github.com/UniversitaDellaCalabria/SATOSA-oidcop (also, https://github.com/IdentityPython/SATOSA/blob/master/doc/README.md#external…) On Wed, 24 Aug 2022 at 16:55, Kristof Bajnok <kristof(a)bajnok.hu> wrote: In order to set the sub to the exact attribute value you need: - the client configuration to have `public` as the subject type (through the `subject_type` option on the client configuration), or set the provider option `subject_types_supported` to have `public` as its first item (see, https://github.com/IdentityPython/SATOSA/blob/bece3e2/example/plugins/front…) - provide a subject identifier factory that just returns the given value when asked to generate an identifier (see, https://github.com/IdentityPython/SATOSA/blob/b903d97/src/satosa/frontends/…) Correct. The identifier in the OIDC world is the sub. By default the NameID is used as input for the sub claim, but internally on the frontend that value is hashed. Changing the subject_id (and the corresponding subject_type) is fine. Changing that and any attribute is the main use case of micro-services. However, no matter how you set the subject_id through a micro-service, the value will be hashed by the frontend that runs after the micro-services. So, to override the default behaviour you have to provide your own subject identifier factory. What exactly is that and how do you do it? In the OIDC world there are two types of subject identifiers - public and pairwise (see, https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) The pairwise identifier is a targeted identifier for the service that the identifier is being released towards. This means that the pairwise identifier cannot mirror a given value, but the value will go through some process that generates a value unique for the service that is going to receive it. On the other hand, the public identifier is specified as being the same across services, thus it doesn't need to go through a process of modifying the value. In pyop this aspect is controlled through the subject identifier factory. The default (and only) subject identifier factory is hashing the values it is given. In the case of the public type it is getting a value and hashing it with the `sub_hash_salt` value (see, https://github.com/IdentityPython/SATOSA/blob/bece3e2/example/plugins/front…) and returns the result. What we want to do is have the generation of the public identifier skip the hashing. Here is some code that does that on the current frontend: - code: https://gist.github.com/c00kiemon5ter/69d5e2efeb8d657ed64b3111e996369c - revision (to understand the changes): https://gist.github.com/c00kiemon5ter/69d5e2efeb8d657ed64b3111e996369c/revi… This code is overriding the current behaviour and replaces the subject identifier factory with a custom one that does (hopefully) what you want. I'd be happy to make this part of the frontend if somebody drops a PR with this code including a new configuration option that controls which subject identifier factory should be used. PS: sorry for the long class name; couldn't come up with a better one Kind regards, -- Ivan c00kiemon5ter Kanakarakis >:3