ChristJS
I read this a couple of times and could not decipher the requirements clearly.
From an Access Management perspective, the Product has no knowledge of the Identity. The Product (any Access Management Product) relies on an Identity Store and results from an Identity Store to make decisions.
The basic question to answer is, "How would an Access Management Product know it has to map an Identity 'abc@xyz.com' which User entered on browser to a different Identity 'xyz@someupn.com' ?". I believe this would be case for all Users i.e. it has to be dynamically supported. Thus the Access Management Product has to make multiple calls to Identity Store to fetch this info out (Albeit also needs to ensure the User Provisioning process works impeccably as these Identities needs to be mapped correctly in the Identity Store to begin-with, inorder to succeed at Access Management Layer).
'abc@xyz.com' --> Maps to --> 'xyz@someupn.com'
'def@xyz.com' --> Maps to --> 'pqr@someupn.com'
'ghi@xyz.com' --> Maps to --> 'rst@someupn.com'
Let me ask a few Question's,
- Is both identities in the same Identity Store OR are they in different Identity Store ?
- Is this mapping supposed to happen as part of Authentication OR as part of Authorization ?
Here is a thought process,
- If it is same Identity Store and has to happen as part of Authentication, then OOB it is not possible. We can try using SmWalker as an Authentication Scheme Wedge and see (POC) if it works.
- If it is different Identity Store and has to happen as part of Authorization, then we could look at Identity Mapping OR Directory Mapping Solution.
Again I do not have a clear view of the Identity Structure and relationships at this point in time. Hence all the above are just pure suggestions to see if we can get the ball rolling in the right direction.
Regards
Hubert