The IDPAccountMapper interface is used on the identity provider side to map user accounts in cases of single sign-on and federation termination. The default implementation, com.sun.identity.saml2.plugins.DefaultIDPAccountMapper, maps the accounts based on the persistent NameID attribute.