That said, if an SP requests an attribute outside the R&S attribute bundle, an IdP that supports R&S is by no means required to release it.
Will I definitely get the attributes requested?
Release of data from organisations is governed by data protection laws that provide a variety of mechanisms to ensure that people and organisations have choice over the data that is released. R&S is designed to safely and securely release appropriate and required data and all IdPs are encourage to release requested attributes. There may however be legitimate reasons for attributes not be release (e.g. user consent, data not available for all users in IDM systems etc.). SPs are encouraged to consider providing helpful error message screens where this may impact service provision.
Are attributes single or multi valued?
Service Providers should reference the eduPerson specification for details on values that may be received per attribute, but in general terms:
displayName are single valued.
sn, email address,
eduPersonScopedAffiliationcan be mutli valued.
For IdP Operators
What attributes should be released by an R&S IdP?