sub- a non-persistent user identifier.
realmName- the SAML entityID of the end-users' organisation - e.g.
Issuer.errorURL- where present will be a URL a user can be sent to when you can't let them in because of something at their end. See: The errorURL attribute and what it is for
eduPersonTargetedID- a persistent user identifieridentifier
eduPersonScopedAffiliation- a scoped role - e.g.
derivedEduPersonAffiliation- just the role bit extracted from the thing above - e.g.
derivedEduPersonScope- just the scope bit, etc - e.g.
pairwiseID- another persistent user identifier
There may be more, depending on what the identity provider is sending, but these should always show up.