It doesn't seem that Jakub Jirutka has verified this issue as fixed. I am hitting this issue now and have debugged the code to find that the change made in the pull request here does not get invoked while processing the attribute value:

      <saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

         <saml2:AttributeValue>

            <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.testshib.org/idp/shibboleth" SPNameQualifier="http://your.domain/sales-post-sig/">fpirfQ6UDwH8oYvHPK8tI0456nE=</saml2:NameID>

         </saml2:AttributeValue>

      </saml2:Attribute>

I believe that we need some handling of this inside SAML2AuthenticationHandler.getRoles().
I think we may be able to check for an instanceof NameIDType and then add the getValue of it to the roles.

I will try and poc this and possibly provide a patch.

Has anyone actually verified the existing code to work with testshib?