...
An Identity Provider that supports the R&S category MUST be willing and able to release all R&S attributes to all R&S Service Providers. The only possible exception is the eduPersonUniqueId attribute: If the Identity Provider’s deployment of eduPersonPrincipalName is non-reassigned, release of eduPersonUniqueId is strictly OPTIONAL.
An Identity Provider MUST release an R&S attribute upon request, in one of two ways:
- By unconditionally releasing that attribute to all R&S SPs
- By conditionally releasing that attribute based on the
<md:RequestedAttribute>elements in Service Provider metadata
A sufficiently capable IdP deployment MAY optimize attribute release based on the <md:RequestedAttribute> elements in Service Provider metadata.
...