...
A Relying Party consuming a scoped attribute SHOULD verify that the issuing IdP is authorized to assert the given scope. This verification is performed by checking the Identity Provider's metadata entry, as described in Section 2.1.4 Scope of the SAML 2.0 WebSSO Technology Profile.
...
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string"> 7803e459-881d-416f-a57c-4ce5eda0b79b@example4ce5eda0b79b@example.org </saml2:AttributeValue>
...
The value MUST be persistent, stable over time, and globally unique, and MUST NOT be reassigned to another subject.
The identifier MUST be designed such that its value does not directly or indirectly reveal the identity of an individual.
The identifier MUST be constructed as a locally unique value followed by “@” and a scope. The combination of the locally unique value and scope uniquely identifies the subject within the federation.
...
The value MUST be persistent and stable over time for a given subject–Relying Party pair, and MUST NOT be reassigned to another subject.
The identifier MUST be designed such that its value does not directly or indirectly reveal the identity of an individual.
The identifier MUST be generated in a manner that prevents the subject from being correlated across different Relying Parties.
...