Ref: Send only subset of the groups in the SAML assertions
I am working with a customer who has discovered the joy of attribute mapping and filters as discussed in the referenced link. I've been asked the question, "Any performance impact in the long run with all these attributes doing processing?" They currently have about a half dozen attribute mappings, though the number is likely to grow. My own reaction is that impact should be minimal since any attribute mappings are referenced at run-time when responses are processed, but I thought I would poll the community for additional insight or anecdotal evidence.
My one cent on this.
As with any amount of additional logic be it in code or within an expression there'd be a time to process. My take is it should be within acceptable limits. It should not be a major drop in performance. Most importantly it should not cause issues like memory leaks OR crashes. There is a certain extent we test internally, but each expression in the field is unique; as such subject to tests (functional / performance / load) which I always recommend.
In case of the scenario you've explained, half dozen attribute mappings, though the number is likely to grow"; I would definitely look at recommending atleast a load test to sniff out any lurking memory issues OR long running expressions (with backend connections).
Adding to Hubert, Most of expressions/mapping whether using LDAP or ODBC tends to uniquely identifies based on Mapping type and it processes some logic. It doesn't have much impact because mapping is define based on common name to schema defined for specific User directory. Each directory identifies User Mapping attribute differently. Running some stress tests against UDs could help in identifying performance issues early in cycle.