The IdP includes a command line tool included in older versions called "aacli", which stood for Attribute Authority Command Line Interface. The command line tool is a wrapper around a web interface that operates an administrator administrative flow that runs the Attribute Resolver and Attribute Filter services, and produces output in various forms.
...
The tool essentially reproduces the results that would ordinarily be produced during a SSO or Attribute Query request. It operates quickly since it runs within the existing application context. There are a couple of caveats to the reproduction of the results:
...
As an example of the second, if the resolution of data depended on some characteristic of the client, such as a network address, that would be unlikely to behave consistently, as would a scenario where the resolution of the data depended on very low-level details from the authentication process aside from just the canonicalized principal name.
For the vast majority of deployments, this tool can produce very accurate, often 100% accurate, results.
The format of the output is controlled by the presence or absence of the "saml1" and "saml2" options. With neither present, the output is derived directly from the internal attributes produced by the resolver, and are rendered using a simple JSON notation that is neutral in form and doesn't follow any particular standard. Otherwise, the appropriate configured encoding into SAML is done, and this includes the production of a <NameID> or <NameIdentifier>, based on the overall configuration of the system.