sub- a non-persistent user identifier.
realmName- the SAML entityID of the end-users' organisation - e.g.
Issuer.errorURL- where present will be a URL a user can be sent to when you can't let them in because of something at their end. See: The errorURL attribute and what it is for
eduPersonTargetedID- a persistent user identifier
eduPersonScopedAffiliation- a scoped role - e.g.
derivedEduPersonAffiliation- just the role bit extracted from the thing above - e.g.
derivedEduPersonScope- just the scope bit, etc - e.g.
- One or both of these identifiers depending on the identity provider
eduPersonTargetedID- a persistent user identifier, being depreciated in many federations
pairwiseID- a persistent user identifier that is replacing
There may be more, depending on what the identity provider is sending, but these should always show up.