When a client authenticates with SASL EXTERNAL, a username can be provided provided by the client. This is then used to authenticate with. If the username is not provided, Openfire will try to obtain it from the certificate that's used (although this mechanism is pluggable, and other mappings can be configured.
When the username is provided, it's assumed to be a username of Openfire. It has been observed that a client uses a bare JID, instead of a username. This arguable is a client error, but Openfire should allow for this, provided that the domain part of the JID equals the XMPP domain of the server.