We've had a vendor that triggers part of their application authz process based on the NameID in the assertion response Subject.

They were expecting to get an email address back and we were providing them with a username.

It looks like no matter what NameID format they specify in their AuthN, we always respond with Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" and populate it with the principal of the logged in user.

I don't think we necessarily try to do anything smart with the AuthN NameID request hint but it would be really useful if we could choose an attribute, say from the LdapAttributeMappingProvider to go into the NameID field on a per SP basis.

https://wiki.shibboleth.net/confluence/display/SHIB2/NameIDAttributes for example