The IDP (Gluu Server) sends an identity assertion to the application: an XML or JSON object that tells the application who the person is, how and when they were authenticated.
If you want to use this information to control access to your application, you can use a web proxy. The Shibboleth SAML SP apache filter uses the `require` keyword (i.e. role=manager); mod_auth_openidc also offers `require` claim syntax.
If you are not using a web server as the relying party, your application will need to be smart enough to read and validate the identity assertion, and enact the respective security rules.