The customer's sysadmin found the ultimate solution, by adding the following text in the Gateway setting at Config/Identify Providers/More/User Attribute Mapping, which maps the roles to a SAML attribute.
Now the session property session.props.auth.user.roles is populated with the authenticated users' roles.
Thanks to everyone for the input!