The only thing that is consistent about the attributes which are returned by the various social identity providers is that they are inconsistent. 

The Cirrus Gateway Console allows you to choose an option for how to map eduPersonPrincipalName. The options are:

  • None
  • Email
  • Unique ID scoped to the provider
Provider Recommended Option Notes
AOL Email Since AOL is a mail provider, you should get back a value with a scope of @aol.com. Because of this, the AOL social provider endpoint is also scoped to @aol.com, and, therefore, you should not have any issues with this ePPN option running afoul of the default Shibboleth Service Provider attribute policy.
Facebook Unique ID scoped to the provider (@facebook.com) As of Spring 2014, Facebook is no longer returning the Facebook username, and instead is returning an "application scoped" ID, i.e., a targeted ID. Please see the idsection of the Facebook Graph API documentation. This means that each SP that has its own integration with Facebook, will get a different ID for the same user. Therefore, if you are planning to use the Cirrus Identity Invitation Service, you must share the same API Key/Secret with each of the SPs that will be integrated with Facebook.
Google Unique ID scoped to the provider (@google.com) Google's unique ID is the ID that shows for a user on their Google+ Profile page. Even if the user has not enabled Google+, the user still has this ID (even if the user is a Google Apps for Business or Education customer).
LinkedIn Unique ID scoped to the provider Like Facebook, LinkedIn only provides a targeted ID. However, with LinkedIn the situation is quite a bit more severe, in that a user's ID is tied to the actual API Key/Secret, and not the LinkedIn application that you associate with your SP. The reason this is important to note is, unlike Facebook which does not allow you to change your API Key/Secret, LinkedIn does allow you to regenerate your API Key/Secret for any application, and if you do this, user ID will change! Therefore, if you use LinkedIn, be sure to never change your API Key/Secret. Also, just as with Facebook, if you want to use the Cirrus Identity Invitation Service, you must share the same API Key/Secret with each of the SPs that will be integrated with LinkedIn.
Twitter Unique ID scoped to the provider (@twitter.com) Like Google, Twitter provides and ID that is unique to the user, and we recommend that you use this ID which will be scoped to @twitter.com.
Windows Live (Hotmail) Unique ID scoped to the provider (@live.com) Like Google, and Twitter, Windows Live provides an ID that is unique to the user, and we recommend that you use this ID which will be scoped to @live.com.
Yahoo! Email Since Yahoo! is a mail provider, you should get back a value with a scope of@yahoo.com. Because of this, the Yahoo! social provider endpoint is also scoped to@yahoo.com, and. therefore, you should not have any issues with this ePPN option running afoul of the default Shibboleth Service Provider attribute policy.