SASL Authentication fails when custom (non-existing) username is used for JBOSS-LOCAL-USER mechanism. Choosing such a custom username is possible with legacy security. So the SASL authentication using JBOSS-LOCAL-USER behaves differently in Elytron and legacy.

The full discussion to this topic is tracked in project JIRA ELY-1103.

If there is a decision to keep the legacy and Elytron behaviors different in this point, then this JIRA should be reused for tracking it in product documentation (Component: Security -> Documentation).