AWP

The basic configuration uses the value of an IdP attribute to assign a role with the same name. For example to assign a role called cu_awp_admin the IdP must send an attribute with this exact value.

The Advanced Roles Mapping dialog offers a more flexible way to find the roles to assign:

This option modifies the received User Roles value (configured on the main SAML panel) and removes the matching parts configured with the regular expression. For example if the IdP sends the value cu_employee, the regular expression (cu_) removes the cu_ prefix and the resulting role name is employee.

Each row in the table represents one possible role assignment.
All received values for the configured attribute are checked against the specified regular expression and the role is assigned if one of the values matches the expression. With this approach one could for example check the received email address to identify an admin user or one could check sub-strings within an attribute value to identify a special group of users.
All rows are always processed which could result in multiple roles getting assigned to the user logging in.