If you are using the SAML module see the documentation here: https://docs.mendix.com/appstore/modules/saml the part about CustomUserProvisioning that is explained here: https://docs.mendix.com/appstore/modules/saml#customuserprovisioning

This is the part you are looking for:

7.2 CustomUserProvisioning

When selecting in the SSO configuration to run the customUserProvisioning action (previously known as CustomLoginLogic), you can update the new or retrieved user with additional information from the assertion. All the assertions are passed into the microflow, and these can be transformed and stored in the user record. Also, additional roles can be granted to the users based on the assertion attributes.

Regards,

Ronald

When you get your assertion attributes set up like Ronald suggests, extend the CustomUserProvisioning flow with something like this (right-click > download for full image)