In a SAML Trace, you can see that on an [Okta (IDP) App SAML request towards an App (SP side)] where you've already configured some regex-matching custom SAML attributes (not set in Mappings, but directly in the SAML App's config) to be passed over, these (which are named in the App's config as 'User attributes' or 'Group attributes') are send:

In a SAML Trace, you can see that on an [Okta (IDP) App SAML request towards an App (SP side)] where you’ve already configured some regex-matching custom SAML attributes (not set in Mappings, but directly in the SAML App’s config) to be passed over, these (which are named in the App’s config as ‘User attributes’ or ‘Group attributes’) are send:

In a SAML Trace, you can see that on an [Okta (IDP) App SAML request towards an App (SP side)] where you’ve already configured some regex-matching custom SAML attributes (not set in Mappings, but directly in the SAML App’s config) to be passed over, these (which are named in the App’s config as ‘User attributes’ or ‘Group attributes’) are send:
A . As an API header
B. Encrypted
C. Unencrypted
D. Back to Okta

Answer: C