Attributes are generally passed on to the application as determined by attribute acceptance policies (AAP.xml):

<AttributeRule Name="urn:mace:dir:attribute-def:employeeType" Header="Shib-InetOrgPerson-employeeType">
	<AnySite>
		<AnyValue/>
	</AnySite>
</AttributeRule>

The name is the URI representation of the attribute on the wire in the SAML attribute assertion and must match that set by the !IdP. The header is the value you want to have available to the web server.

The actual appearance of this header depends some on the web server. Java requires identification of the header by the original case-sensitive hyphenated version: Shib-InetOrgPerson-employeeType. You can also export the entire assertion itself using the RequestMap element if you really want to deal with the pain.

Fortunately, there's an excellent example (sample.jsp) and it's one everyone used once as they brought up their IdP.

Browser not supported