Here is some more background information on this topic.
1. Our first attempt at this was done in the Open Grid Forum Authz
working group several years ago and the result is documented in a couple
of draft OGF profiles. In this case, the PEP knows the user's
distinguished name from his X.509 PKC, and this is passed to the context
handler/PDP as a subject attribute in the request context. It is assumed
that the user's attributes are assigned to this DN at all the different
attribute authorities. In order to request that the PIP pull attributes
from a given set of AAs/IDPs, the PEP places an IDPLIst element into the
request context as an environmental attribute with
ID= http://schemas.ogf.org/ogsa-authz/2008/09/attribute/IDPList.
IDPList is defined below