The test cases are actually those quick start examples:

IDP sends SP assertion with three attributes: name=Role, value=manager; name=Role, value=employee; name=Role, value=sales;

But only the last one gets into HttpSession. When I retrieve those attributes by session.getAttribute(GeneralConstants.SESSION_ATTRIBUTE_MAP), I only got one value.

The code that caused the problem is described below.

In method protected void handleIDPResponse(SAML2HandlerRequest request), these lines
if (chooseFriendlyName)

{ attrMap.put(attr.getFriendlyName(), attr.getAttributeValue()); }

else

{ attrMap.put(attr.getName(), attr.getAttributeValue()); }

should be changed to something like the following:
if (chooseFriendlyName) {
List<Object> values = attrMap.get(attr.getFriendlyName());
if (values == null)

{ attrMap.put(attr.getFriendlyName(), attr.getAttributeValue()); }

else if (attr.getAttributeValue() != null)

{ List<Object> newValues = new ArrayList<>(attr.getAttributeValue()); newValues.addAll(values); attrMap.put(attr.getFriendlyName(), newValues); }

} else {
List<Object> values = attrMap.get(attr.getName());
if (values == null)

{ attrMap.put(attr.getName(), attr.getAttributeValue()); }

else if (attr.getAttributeValue() != null)

{ List<Object> newValues = new ArrayList<>(attr.getAttributeValue()); newValues.addAll(values); attrMap.put(attr.getName(), newValues); }

}