...
An Identity Provider that supports the R&S category MUST be willing and able to release all R&S attributes to all R&S Service Providers. The only exception is the eduPersonUniqueId attribute: If the Identity Provider’s deployment of eduPersonPrincipalName is non-reassigned, release of eduPersonUniqueId is strictly OPTIONAL.
An In practice, an Identity Provider MUST release an R&S attribute upon request, in one of two ways:
- By unconditionally releasing that attribute to all R&S SPs
- By conditionally releasing that attribute based on the
<md:RequestedAttribute>elements in Service Provider metadata
A As suggested above, a sufficiently capable IdP deployment MAY optimize attribute release based on the <md:RequestedAttribute> elements in Service Provider metadata.
If a Service Provider lists the eduPersonPrincipalName attribute in metadata, and the Identity Provider's deployment of eduPersonPrincipalName may be reassigned, then the Identity Provider MUST release both eduPersonPrincipalName and eduPersonUniqueId to the Service Provider regardless of whether eduPersonUniqueId is listed in metadata.
If a Service Provider lists the eduPersonUniqueId attribute in metadata, and the Identity Provider’s deployment of eduPersonPrincipalName is non-reassigned, the release of eduPersonUniqueId is OPTIONAL despite its listing being listed in metadata.
Beyond the two special cases noted above, an Identity Provider is NOT REQUIRED to release any R&S attribute not listed in metadata. Moreover, any non-R&S attribute listed in Service Provider metadata is out of scope with respect to this specification.
An Identity Provider MUST NOT require the isRequired XML attribute to be present on any given requested R&S attribute in Service Provider metadata. That is, an Identity Provider that supports the R&S category MUST be able meet the requirements of this specification regardless of whether the isRequired XML attribute is (or is not) present on any given requested R&S attribute in Service Provider metadata.
...