[CF1] failed to fetch user/group info

Author: deadlypants1973

src/content/docs/cloudflare-one/faq/troubleshooting.mdx

@@ -297,3 +297,11 @@ If the user attempts to enter the override code at **11:59 AM** the next day, th
 If you are using an [Admin override](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#admin-override) code with [Auto connect](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#auto-connect) also enabled, WARP will turn on automatically according to the Timeout set for **Auto connect**. Using an override code to override the WARP lock switch will not disable Auto connect. As best practice, review your Auto connect settings before sending the override code to the user.
 
 To prevent WARP from auto connecting while using an admin override code, disable Auto connect or set a longer **Timeout** for **Auto connect**. Note the changes you make to Auto connect while the end user is using the admin override code if you need to revert these changes later.
+
+## I am getting the error `Failed to fetch user/group information from the identity`.
+
+This error is returned when proper API scope is not set up in the IdP. When Cloudflare attempts to fetch user/group information from the IdP, and proper API scope as not been configured, the `Failed to fetch user/group information from the identify provider` error will appear. Review the [SSO integration](cloudflare-one/identity/idp-integration/) guide for your IdP to ensure your application has the appropriate API permissions.
+
+For example, [Microsoft Entra's permissions](/cloudflare-one/identity/idp-integration/) and [Okta](</cloudflare-one/identity/idp-integration/okta/#:~:text=(Optional)%20Create%20an%20Okta%20API%20token%20and%20enter%20it%20in%20Zero%20Trust%20(the%20token%20can%20be%20read%2Donly).%20This%20will%20prevent%20your%20Okta%20groups%20from%20failing%20if%20you%20have%20more%20than%20100%20groups.>) have required permissions stated in their integration guides.
+
+You can also examine logs in your IdP to identify any denied requests related to API access.

src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx

@@ -88,6 +88,12 @@ You do not need to be a Google Cloud Platform user to integrate Google Workspace
 
 To test that your connection is working, go to **Authentication** > **Login methods** and select **Test** next to Google Workspace. Your user identity and group membership should return.
 
+:::note[`Failed to fetch group information from the identity provider` error]
+
+To test successfully, you must [finish setup](https://community.cloudflare.com/t/google-workspace-failed-to-fetch-group-information-from-the-identity-provider/313361/2). Testing before finishing setup will result in a [`Failed to fetch group information from the identity provider` error](/cloudflare-one/faq/troubleshooting/#i-am-getting-the-error-failed-to-fetch-usergroup-information-from-the-identity).
+
+:::
+
 ## Example API Configuration
 
 ```json