@Ian Glazer @Chuck Mortimore The biggest obstacle to real-world use of the OAuth 2 JWT Bearer or SAML Assertion grant types that I have found in practice is that you have to send the Salesforce User's Username as the Name Identifier in the JWT's "sub" claim / the SAML assertion's Name Identifier. Why can't we use Federation Id instead? Requiring an API invoker to know the Salesforce user's username functionally requires the username to BE the Federation Id, the common thread that all services use for consistent identification.

I posted an idea about this today:

https://success.salesforce.com/ideaView?id=0873A0000003e2oQAA

The OAuth JWT Bearer or SAML assertion grant types are amazing, when I discovered them years ago they were revolutionary for, functionally, allowing for SSO-for-API's in a standardized fashion. However, it's been impossible to get real adoption of these with our customers who are trying to use them to connect to Salesforce due to the requirement that Username be the Salesforce field which gets matched against.

Any thoughts on whether this could be implemented / why only Username is supported right now?

Thanks!