Consider method SecurityManager#getMemberships on master:
Only in the "else" branch, sanitizeUserId(rawUserId), is called. It checks for case sensitivity on the providers user manager.
Not sanitizing the raw user id for non-internal providers breaks the login functionality for an external provider with case-insensitive LDAP integration.
A client's use case with this set up needed to fork the class with an extra sanitizeUserId() call in the "if" branch to work.