diff --git a/configurations.md b/configurations.md
index dccee17..82108a8 100644
--- a/configurations.md
+++ b/configurations.md
@@ -90,6 +90,9 @@ PostgreSQL is configured only if the required environment variables are set; oth
 - **`MOBSF_IDP_IS_ADFS`**: Set ADFS as IdP when set to `1`.
 - **`MOBSF_SP_HOST`**: Hostname for SAML Service Provider (SP).
 - **`MOBSF_SP_ALLOW_PASSWORD`**: Enables password-based login for SAML SP when set to `1`.
+- **`MOBSF_IDP_MAINTAINER_GROUP`**: Enables SSO group mapping for MobSF Maintainer role when set to `group_name_1,group_name2,..`, default to `Maintainer`
+- **`MOBSF_IDP_VIEWER_GROUP`**: Enables SSO group mapping for MobSF Viwer role when set to `group_name_1,group_name2,..`, default to `Viewer`
+- **`MOBSF_IDP_DEFAULT_GROUP`**: Enables SSO authenticated users without any suitable groups in SAML assertion to be logged in with default role when set to `Maintainer` or `Viewer`.
 
 ## Custom binaries for Android SAST
 - **`MOBSF_BUNDLE_TOOL`**: Path to the BundleTool binary.
diff --git a/sso.md b/sso.md
index 1307efd..f4f143b 100644
--- a/sso.md
+++ b/sso.md
@@ -57,7 +57,7 @@ To enable Okta SSO in MobSF, you need the Metadata URL from Okta.
 
 8. In the next **Feedback** screen, tick the `This is an internal app that we have created` option and click **Finish** to create the MobSF Okta integration.
 
-9. You must create at least two Okta groups for the MobSF roles `Maintainer` and `Viewer`. The group name should contain the string `maintainer` in it to be associated with the `Maintainer` role, and any other group name will be assigned to the Read-Only `Viewer` role. You can add corresponding users to each group.
+9. You must create at least two Okta groups for the MobSF roles `Maintainer` and `Viewer`. The group name should contain the string `maintainer` in it to be associated with the `Maintainer` role, and `viewer` to be associated with the `Viewer` role. Yoy can use SSO groups mapping whith environment variables `MOBSF_IDP_MAINTAINER_GROUP` and `MOBSF_IDP_VIEWER_GROUP` to map your custom Okta groups to MobSF `Maintainer` and `Viewer` roles. If you want to authorize SSO logged-in users without any suitable SSO groups you can use environment variable `MOBSF_IDP_DEFAULT_GROUP=Viewer` or `MOBSF_IDP_DEFAULT_GROUP=Maintainer` to authorize as `Viewer` or `Maintainer`.
 
 10. Go to the **Assignment** tab of the MobSF app and assign the groups corresponding to `Maintainer` and `Viewer` roles.