Add (optional) secondary idp/mdl attribute mapping

[keevan]

Transitioning users using one field to another for a client requires matching a field which might not be populated yet. As such, it may need to still rely on the secondary field being populated. The reason for the new primary mapped field, is that the secondary field (e.g. email) might change, based on the person's current personal details such has name.

To make this work as seamlessly as possible, we opted to use an entra id (idp specific id tied to a user for their lifetime on that application regardless of email/name changes). As such the fields would change from:

• email -> email

to:

• entraid -> idnumber
• email -> email (as a fallback or secondary matcher, should the first not match against a user)

There are a number of reasons why the first value (entraid) might not be populated yet, let's just say they are eventually consistent / populated as they log in.