...
The SP translates attributes that it receives on the wire, typically from SAML assertions, using an attribute extractor, typically via the attribute-map.xml configuraton file. The file contains a series of mapping rules that reference the "on the wire" representation and connect it to a more convenient short-hand.
To define a new mapping, ones need one needs to add a new <Attribute> element. The name property in the rule corresponds to the formal SAML name the IdP is using for the attribute, generally a URI. The id property is the shorthand name to use, and determines the environment variable or header by which the attribute will be made available to the web application.
...
Once a mapping is created, the attribute's values, if any, will be available in an environment variable or header corresponding to the rule's id and/or aliases properties. Multiple values are separated by a semicolon, and semicolons in values are escaped with a backslash. The data should be interpreted as UTF-8, which is a superset of ASCII.
Externally to an application, you can utilize mapped attributes for static access control. Included with the SP are a pair of plugins, a cross-platform XML-based mechanism and support for Apache .htaccess.