I'm not able to cut off realm suffix from username when authenticating with Kerberos. Legacy security realms provide this functionality controlled by "remove-realm" attribute in /core-service=management/security-realm=*/authentication=kerberos.

IMO this should be solvable by principal decoders in Elytron. Nevertheless currently only the constant and x509 principal decoders are provided which is not sufficient. I'm not counting aggregation and concatenation decoders as they are just wrappers. So the current implementations can't solve my scenario - the removing of Kerberos realm extension ( "jduke@JBOSS.ORG" => "jduke").

There already exists wider set of principal transformers in Elytron, but the transformers don't change Principal of the identity and they are just used during authentication.

I suggest to create a new regex-principal-decoder with similar behavior as regex-principal-transformer.