Update generic-saml.mdx

add call out for Groups match

Author: kennyj42

src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx

@@ -74,6 +74,8 @@ Your identity provider must support SCIM version 2.0.
 
 Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](#1-create-an-application-in-your-identity-provider) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [JumpCloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides.
 
+If you would like to use groups based policies, ensure that your identity provider sends a "groups" field. The naming must match exactly (case insensitive). All other values will be sent as a SAML attribute.
+
 :::note
 If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-saml/#1-create-an-application-in-your-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
 :::