On the org name issue, can the SP use an assertion attribute instead? It's pretty easy to append attributes together or add static text using the expression option instead of "user attribute". Never done that for a nameid unfortunately; maybe someone else knows how or named expression could work here too like H. mentioned of the case...? Anyhow, using the assertion attributes instead of nameid is pretty straight forward to use the expressions for situations like that.
-----------------------
For example, I have 2x users: (1) uid=myuser and orgCode=companyA and (2) uid=otheruser and orgCode=companyB . The SP wants USER attribute to return the uid@orgcode
I would set the assertion attribute to "expression" and add "USER = #{attr["uid"]}@#{attr[“orgCode”]} ".
The response for user 1 (myuser) would return myuser@compnayA and response for user 2 (otheruser) would return otheruser@companyB
-----------------------
Or you can also use static text if the org code isn't defined in your directory but known value between IdP and SP.
E.g., #{attr["uid"]}@SomeCompany which would return myuser@SomeCompany and otheruser@SomeCompany
-----------------------
Lots of flexibility with the assertion attributes to modify with expressions. Same if you had to add an attribute if it's between X-Y values but delete if it's not. So if you're following something like the TSCP SAML Profile and need to return IPVLevel; Say the IdP has an attribute called userIdentityLevel that has a range from 10-20 - any user within that range equals the TSCP profile for IPVLevel2 so I need to return that for these users could do something like:
http://schemas.tscp.org/2012-03/claims/IPV-Level = #{((attr["userIdentityLevel"] >= '10') && (attr["userIdentityLevel"] < '20')) ? 'urn:tscp:IPVLevel:2' : 'DELETE' }
If the user meets that criteria it will return the attribute"http://schemas.tscp.org/2012-03/claims/IPV-Level" with a value of "urn:tscp:IPVLevel:2" . If the user does not meet the criteria then the assertion is removed.