If you’re configuring just-in-time (JIT) provisioning with a custom Apex handler, and your single sign-on (SSO) identity provider sends encrypted SAML assertions, Salesforce now passes the decrypted assertion to your JIT handler. The previous process sometimes limited the JIT handler from accessing certain user attributes. The decrypted assertion is stored as a value with the key Sfdc.SamlAssertion. With access to the decrypted assertion, you can modify the way your JIT handler processes the assertion to make sure no attribute gets left behind.
Where: This change applies to Lightning Experience and Salesforce Classic in all editions.
How: Configure Salesforce as a service provider for SAML SSO and enable custom JIT with an Apex handler. Then use the SamlJitHandler interface to customize the JIT handler as needed.