This works for me:
runScript("system.user.getUser('MySQL_User_Source', '" + {idp-attributes:/saml2p:Response/saml2:Assertion/saml2:Subject/saml2:NameID/text()} + "').getRoles()")
where MySQL_User_Source is the name of my user source profile.
Since we are passing jython source code as a string to the runScript expression function, we need to embed the username in the part of the source code where the username argument goes to the system.user.getUser script function using string concatenation (string concatenation is handled by the Ignition expression itself). Just swap my XPath expression (/saml2p:Response/saml2:Assertion/saml2:Subject/saml2:NameID/text()) with the XPath expression you need to dereference the username in your SAML response and it should work.