3.1.5.4.4 User Attribute Retrieval

If additional claims are required by a ClaimsOut entry for the relying party, as specified in section 3.1.1.2, the IP/STS MUST retrieve the correct values that correspond to the authenticated identity of the user. How this is performed is implementation-specific and not addressed in this protocol. The IP/STS SHOULD<58> retrieve the data from an authoritative user attribute authority based on the value of the AuthIdentity element from the user's Authentication Context.