If you are using the SAML module see the documentation here: https://docs.mendix.com/appstore/modules/saml the part about CustomUserProvisioning that is explained here: https://docs.mendix.com/appstore/modules/saml#customuserprovisioning
This is the part you are looking for:
7.2 CustomUserProvisioning When selecting in the SSO configuration to run the customUserProvisioning action (previously known as CustomLoginLogic), you can update the new or retrieved user with additional information from the assertion. All the assertions are passed into the microflow, and these can be transformed and stored in the user record. Also, additional roles can be granted to the users based on the assertion attributes.
When you get your assertion attributes set up like Ronald suggests, extend the CustomUserProvisioning flow with something like this (right-click > download for full image)