Hello

Currently autoprovisioning adds new users to a configuration-defined set of groups:

'auto-provision' => [
  'groups': ['employees']
]

Would you be interested in managing user's groups based on a userinfo claim?
E.g., add a configuration option 'auto-provision' => [ 'groups-claim': 'groups' ]
Then, if configured,

• treat the userinfo claim as a list of gid's
• add the user to specified groups that exist
• remove the user from extra ones

For current 'groups' => ['employees'] configurations, keep the same logic "add during user creation"

Both scenarios would be available and interchangeable:

• groups -> groups-claim transition would require administrators to configure their IdP and update existing user profiles on IdP side
• groups-claim -> groups transition would disable groups synchronization for existing profiles and work as expected for new profiles

The groups and groups-claim should probably be mutually exclusive

Are there any concerns with LDAP integration or any other source of group membership?

In case this is ok, I am willing to implement