Updating because I believe I found it in the documentation:
The context.samlConfiguration.mappingsobject is used to override default SAML attributes or add new attributes. The object keys are the name of the SAML attribute to override or add and the values are a string of theuserobject property to use as the attribute value.
So when you are updating context.samlConfiguration.mappings, you don’t need “user.” because it’s implied. And I believe the quotes are needed around it because this is only acting as a mapping to dynamically pull from the user account.
Also, user_metadata is something the user can modify, it seems that your app_roles is better suited for app_metadata. Which, double-bonus, you don’t need to put "app_metadata.attribute" in your rule, you can just put in "attribute", so that can clean it up a bit.