As a workaround, I found that if I load the User object from the Management API, rather than rely on the User object I receive within the Event parameter, I am able to see claims, such as groups, that were added from the SAML token. I hope this helps!