Major Description
Currently the LdapClaimHandler is only able to lookup attributes for user with a direct match of the username and the username in the LDAP directory.
In case of Kerberos the username looks like this user@domain.com. If the user is authenticated with a Kerberos token at the STS, the LdapClaimHandler is able to extract the username. But if the username comes from a different token type (e.g. SAML token in a WS-Federation scenario with initial Kerberos authentication) then the lookup fails.
Hy proposal would be to extend the LdapClaimHandler in such a way that it is possible to define a DELIMITER (e.g. '@') which can be used on any token type to extract the username. An even more generic way, would be to provide the option for an callback handler to map the username. But for now I would go with the simple solution of a delimiter. 