...
For the purposes of access control, a non-reassigned persistent identifier is REQUIRED. If your deployment of eduPersonPrincipalName is non-reassigned, it will suffice. Otherwise you MUST release eduPersonTargetedID (which is non-reassigned by definition) in addition to eduPersonPrincipalName. In any case, release of both identifiers is RECOMMENDED.
An Optimization
If a service provider lists any of the person name attributes in metadata, the identity provider MUST release some form of person name, either displayName or givenName + sn. Beyond that, an identity provider is NOT REQUIRED to release any attribute not listed in metadata.