Michael has addressed most of it already, I'll just add in on this part
>I have noticed that some GLUU configuration actions will regenerate these files from templates.
>Are they being generated from templates located at /opt/gluu/jetty/identity/conf/shibboleth3/idp? Is it safe to edit those files?
Yes, those are templates you need, and it's generally safe to edit them - assuming you understand how the Apache Velocity works and know its syntax. You are on your own while on this task, though, as such in-depth stuff isn't normally covered by Community Support. You indeed would make the whole thing way less complex by just importing those attributes into Gluu's LDAP with custom CR script.