Placeholder page for drafting use cases and eventually examples for configuring relying party behavior using dynamic detection of metadata tags.
Signed Assertions vs. Responses
Enabling signed assertions is advisedly handled by turning on
WantAssertionsSigned in metadata, but isn't always possible and sometimes has to be combined with disabling signed responses (or just for efficiency).
Setting idp.encryption.optional is usually a workaround for handling the majority of SPs without encryption support, but there are a couple of scenarios in which it's useful to be able to manually disable it. Some federations (InCommon for one) have limitations such that SPs without encryption support are stuck registering keys they don't support. Some SPs support encryption but build in time-bombs by forcing flag day key rotations on all IdPs that cause outages or manual work.
There are metadata extensions that are meant to be used to signal algorithm support, but they're not widely used at this point. The most common scenario is to force SHA-1 for older systems.
A common use case is enabling SAML 1 for legacy systems, often combined with either enabling queries or attribute push (to eliminate the queries).
NameID Format Exceptions
<NameIDFormat> elements in metadata (which can also be added at runtime with a filter) is the normal way to trigger them, but the "unspecified" Format has to be triggered with a profile setting. That's not common, but it's easy to define a tag for just in case. The problem is that any two SPs using it are only coincidentally going to want the same data, so this isn't solely a matter of format selection.
Some of the other profile settings are workarounds for bugs, e.g., omitting the NotBefore attribute. Likely not very common but easily tag-driven.
Handling SPs that require MFA but can't request it requires IdP-side configuration.
Attribute Release Consent
Triggering consent based on the SP is pretty common.
The authorization checking flow is another case, though the checking condition would probably to be extended for each different service/scenario.
Not relying-party-driven, but a canonical case for using metadata tagging is to drive attribute release, occasionally via bundles a la R&S and also piecemeal. FIltering is ultimately going to perform proportional to the number of policies times their individual overhead, so if tag-based rules are sufficiently fast, a policy per attribute would ultimately match or exceed the approach of defining policies per service.