Security recommendations for IdPs

[sdesen]

Related to #14 , the Idp will somehow map or discover client IDs to issuer url.

when it comes to the Idp itself adding an issuerUrl (audience) to the minted id-jag token, should there be recommendations or mentions of the Idps responsibility to somehow trust those mappings which are stored or discovered?

[sdesen]

I can also phrase it this way - #59 (comment)

In this addition

Note: The IdP Authorization Server is also responsible for mapping subject identifiers across Clients and trust domains in the ID-JAG.

Is this responsibility core to the trust relationships of the flow, or an implementation/operational requirement. If the former, let's specify.