Can I control a user's role in Panoptica via SAML attributes/group memberships, or are roles always configured in Panoptica?

All new SAML users get Viewer access, and then from there this can be configured manually. Currently there is no groups mapping.

If I already have an account with a password but then I log in with SSO with the same email address, do I now have two users or one? Do I keep my Panoptica role? Do I keep my password?

They will both live within one user, and the Panoptica role and password are kept.

Once it has been tested, can we make SSO login mandatory?

Yes, SSO login can be made as mandatory.

When connecting to Jira, should I create a Panoptica user?

No, you should enter a Jira admin user email.