Attribute-based authorization involves one Web site communicating identity information about a subject to another Web site in support of some transaction. However, the identity information might be some characteristic of the subject, such as a role. The attribute-based authorization is important when the subject’s identity is either not important, should not be shared, or is insufficient on its own.
In order to interoperate with trusted service providers through the SAML protocol, the Identity Server distinguishes between different attributes from different SAML implementations. All of the SAML administration is done with Liberty attributes. When the you specify which attributes to include in an assertion, or which attributes to use when locating the user from an assertion, these attributes should always be specified in the Liberty format.
In an attribute map, you convert SAML attributes from each vendor’s implementation to Liberty attributes. (See Section 7.1, Configuring Attribute Sets.)
You can find detailed information about SAML 2.0 on the OASIS Security Services (SAML) TC Web site.