Sometimes we would like to be able to restrict certain users to only be able to auth for a subset of SPs, but we don't always have the ability to enforce this at the SP side. Therefore, we would like to have a way to associate certain users or roles with the various SP's that the IdP trusts. This would give us flexibility in our testing environments to allow multiple customers to have independent credentials without opening up their associated applications to each other. It would also have the added benefit of not imposing any additional complexity on the SP side in terms of configuration.

This would be primarily useful in our testing environments, but could also provide the basis for implementing a "portal" like approach for IdP initiated auth, as the IdP configuration would now have an configuration attribute that would allow you to filter a list of only the SP's a given user has access to.