At red (2) above we see our attempts to expose some “contextual” parameters, usable in mapping.
Below, we also note the contract we formally disclose about the tokens content (one day in OAUTH metadata, presumably, once the “new” standard catches up with “old” SAML). We add petername.
Now when fulfilling that contract, why can we not fulfill petername from any of the inbound SAML assertion’s attributes/claims? Why are things restricted to the SAML subject? This makes no sense (though I can see lots of dogma reasons, for it).
I think the answer is to first extend the attribute contract – thinking now of the “OAuth SAML Grant Attribute Mapping” much as one thinks of an SP adaptor contract definition.