Problem

Ping Federate does not send group names as required by our SAML SSO app to provide full Just-In-Time (User Provisioning) support.
It might only send all the group names as one comma-separated string, i.e. in the 
"MemberOf" attribute.

While this is good enough to do basic things, i.e. group transformation rules, 
it won't suffice if you really want our SAML SSO app to create multiple groups in your Atlassian instance.

For that to work, groups names need to be sent as multi-valued attributes as in the example below.

<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">DomainUsers</saml2:AttributeValue>
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Group-1</saml2:AttributeValue>
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Admins</saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>


Solution

The article from Ping below describes how to use Object-Graph Navigation Language (OGNL) to accomplish that, based on a LDAP memberOf Attribute.
https://support.pingidentity.com/s/article/How-to-process-a-LDAP-multi-valued-attribute-and-return-it-as-a-multi-valued-SAML-attribute673515

Depending on your exact Ping version, OGNL might not be available. We do know that it is at least for Ping Federate.