As far as I know, this is the way Azure AD works. It points out that it's going to use the userprincipname attribute from the user. Or the mail attribute from the user. You could for example also add group attributes to SAML. Then it would be group.mail, or group.name.
So the user. is to point out that you're using a user attribute and the userprincipalname, mail or surname part is to point to the actual attribute.