...
A Relying Party consuming a scoped attribute SHOULD verify that the issuing IdP is authorized to assert the given scope. This verification is performed by checking the Identity Provider's metadata entry, as described in Section 2.1.4 Scope of the SAML 2.0 WebSSO Technology Profile.
...