Custom roles can be injected locally using the local claims authentication manager. The manager fires locally and lets you augment the federated identity.
You can have the manager firing only once when the session authentication module creates a local cookie or have it firing upon every request. Consult my blog entries for more details:
http://www.wiktorzychla.com/2011/07/wif-and-custom-userdata-in.html
http://www.wiktorzychla.com/2012/09/sessionauthenticationmodule-and-dynamic.html