Notes on usage:
- "example.ac.at", should use the same "canonical" DNS domain as the "scope" part of eduPersonPrincipalName and eduPersonScopedAffiliation.
- Could be used as an identifier for the institution which is independent from the Identity Provider's entityID (e.g. for mapping of institutional contracts)
- Could be used to only send the "scope" part of eduPersonScopedAffiliation when the "affiliation" is not needed at the Service Provider
- TCS Personal Certs