I added a profile setting to the IdP’s attribute-resolving profiles called attributeRecipientGroupID, which maps loosely to SAML’s affiliations and OpenID’s sector ID.

It’s wired into the standard ResolveAttributes and FilterAttributes actions but it depends on an interface I don’t think the OP is actually using (AttributeResolvingProfileConfiguration).

So there’s probably more to do here in concert with the IdP perhaps, not sure, but that interface only carries two options, this new one and a flag for whether to resolve attributes at all. So possibly we can rebase the OP’s profile configs on it where applicable.

Anywhere we’re running ResolveAttributes, we should do “something” to allow for this to be set and populated.

I don’t believe we’re setting this now based on the RP sector_id, but maybe we’re doing something more exotic. My change to the IdP actions won’t break that but we may need to rationalize it all.