Petter and anyone else who might stumble across this. I had to create a custom transform rule to make this work. Three total rules on ADFS side:
1 - Send LDAP Attributes as Claims - E-Mail-Addresses --> E-Mail Address
2 - Transform an Incoming Claim - E-mail Address --> Name ID with Email format
3 - This custom rule:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("UserRole"), query = ";tokenGroups;{0}", param = c.Value);
That sends all of the user's groups to the FMC. I also created a specific access control policy so that only users in the FMC admin or read-only groups could authenticate at all.
On the FMC side, Group Member Attribute is set to UserRole. Then I matched the names of the AD groups that I'm using for Administrator and Security Analyst (Read Only). Users in those groups get those roles. Any other users should never get to the FMC because they are stopped by ADFS.
I hope that helps someone who needs this too.