SSO (SAML / OIDC / LTI) authentication attribute mapping

Currently, Adobe's SSO mechanisms do not allow you to customize which IdP attributes map to which Adobe profile fields. You are restricted to using the "default" attributes dictated by Adobe: https://helpx.adobe.com/enterprise/using/automatic-account-creation.html#attribute-mappings

Adobe support states that the attribute release should be handled/customized on the IdP end and that this feature is not offered by Adobe. 

In a lot of SAML and LTI implementations, it is against best practice to override standard attributes with new values on the IdP end. Instead, you are able to release additional custom attributes, and the SP or Tool Provider (Adobe, in this case) should be able to map those to Adobe's profile fields.

For example - the Canvas LMS, does not allow you to override attributes at all. You can only add new attributes per-tool, that are prefixed with "custom_". This causes an issue with Canvas, specifically, because Canvas allows users to change their default email address. What most Canvas admins do to circumvent issues, is release an additional attribute like "upn" or "eppn" which contains the user's official school email address.

Much like other apps, Adobe's user mapping, is done through email address. But other apps, allow you to say, "use the UPN attribute for email address". 

Given these limitations, the Adobe LTI for Canvas, cannot be used properly in our environment in it's current state, as Adobe cannot properly match up users who have modified their Canvas emails.