Attributes are negotiated during the connection process.
With attributes, it's possible to restrict access to your service. For example, with the attribute 'Affiliation' you can give access only to students or staff. If you want to restrict access to a certain faculty, you can use the scoped affiliation attribute.
With services having some specific requests on certain attributes some coordination is necessary between SP and IdP.
Alternatively, you can pre-provision the legitimate users of your service, and block the rest. Consequently you must find a way to map the user information you own to the information you receive from SURFconext.