The SP still doesn't know anything about the user, except that they managed to authenticate at this particular IdP.
The SP sends a SAML Attribute Query direct to the IdP's Attribute Authority service asking for more information. It can, but typically doesn't, say what it wants to know.
The query is carried in a SOAP message over HTTP.