Splunk needs three critical pieces of information in SAML authentication response to work well with SAML.
1) realName : This is the user name that gets populated in the UI.
2) mail: the email of the user.
3) role: this information is used to map user group names to splunk roles, an example would be "developer" -> "user" (SplunkRole), "domain admin"-> "admin" (SplunkRole). We create mappings for incoming group information to splunk roles via the SAML Group map(Green button next to SAML configuration on the UI)
Attribute alias mappings provide you with flexibility to choose what you want to map these to, in the assertion that is being returned.
By default we look for saml attributes called "realName", "mail" and "role".
You may or may not need this to work, you can actually configure idp to send the required attributes with the names as 'realName', 'role' and 'mail'
In the answer posted by suarezry he is mapping 'mail' to 'urn:oid:0.9.2342.19200300.100.1.3'. And as he has mentioned an easy way to look at the authentication response is to use SAML Tracer, look at the attributes that are most suitable for that purpose and map them via attribute aliases