...
The profile is included in the shibboleth.UnverifiedRelyingParty relying party configuration
The request message is compliant with the unregistered client policy configured for the profile
In addition to the two requirements above, the profiles that require client authentication (OAUTH2.Token, OAUTH2.Introspection and OAUTH2.Revocation ), the client authentication (by default: authn/OAuth2Client) needs to be configured to successfully authenticate the unregistered client.
In effect the policy allows control over the behavior despite the lack of metadata. Some IdP features, such as the Attribute Filter, will already honor rules based on the “requester” despite the lack of metadata, provided that the request makes it far enough to reach that step. Scripts that interrogate, e.g., the relying party ID, will also be functional and would need to include additional logic to check for the verified status of the request to distinguish these cases.
...