How to read value of SAML attribute received from the IdP?

Another solution to access an attribute value is via SAMLCredential.getAttributeAsString(String name)

credential.getAttributeAsString(attribute.getName())

XmlObject requires some unpacking to work with:

private String getAttributeValue(XMLObject attributeValue)
{
    return attributeValue == null ?
            null :
            attributeValue instanceof XSString ?
                    getStringAttributeValue((XSString) attributeValue) :
                    attributeValue instanceof XSAnyImpl ?
                            getAnyAttributeValue((XSAnyImpl) attributeValue) :
                            attributeValue.toString();
}

private String getStringAttributeValue(XSString attributeValue)
{
    return attributeValue.getValue();
}

private String getAnyAttributeValue(XSAnyImpl attributeValue)
{
    return attributeValue.getTextContent();
}

You can loop over the List<XmlObject> until you find the attribute you need to and then call the getAttributeValue(XmlObject) method above.

Depending on what these XmlObjects really are (Attribute, AttributeValue, etc.) you may need some portion of this algorithm to unpack them fully:

private final static String USERNAME_ATTRIBUTE_NAME = "urn:oid:0.9.2342.19200300.100.1.3"

private String getUsername(Assertion assertion)
{
    for (AttributeStatement attributeStatement : assertion.getAttributeStatements())
    {
        for (Attribute attribute : attributeStatement.getAttributes())
        {
            if (USERNAME_ATTRIBUTE_NAME.equals(attribute.getName()))
            {
                List<XMLObject> attributeValues = attribute.getAttributeValues();
                if (!attributeValues.isEmpty())
                {
                    return getAttributeValue(attributeValues.get(0));
                }
            }
        }
    }
    throw new IllegalArgumentException("no username attribute found");
}

In this case I'm using the standard OID for email address. In practice this has to be configurable as various IdP's use different naming strategies. This worked with Shibboleth IdP 3.

@StefanRasmusson's A Guide to OpenSAML is what got me past the hump between getting SAML concepts and being able to implement my own SP.

Scott Cantor was also incredibly helpful to me on the shibboleth-users mailing list from topics ranging for configuration gaps to high-level security architectural questions. The OpenSAML community (including Shibboleth) are very helpful and opinionated and I like that.