Add call out that groups must match exactly (#18743)

* Update generic-saml.mdx

add call out for Groups match

* Update generic-oidc.mdx

* Update jumpcloud-saml.mdx

* groups SCIM attribute

* Update src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx

---------

Co-authored-by: Ranbel Sun <[email protected]>
Co-authored-by: ranbel <[email protected]>

Author: kennyj42

src/content/docs/cloudflare-one/identity/idp-integration/generic-oidc.mdx

@@ -68,9 +68,12 @@ Your identity provider must support SCIM version 2.0.
 
 Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [Jumpcloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides.
 
-:::note
-If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
-:::
+#### IdP groups
+
+If you would like to build policies based on IdP groups:
+
+- Ensure that your IdP sends a `groups` field. The naming must match exactly (case insensitive). All other values will be sent as a OIDC claim.
+- If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-oidc/#set-up-a-generic-oidc). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
 
 ### 3. Verify SCIM provisioning
 

src/content/docs/cloudflare-one/identity/idp-integration/generic-saml.mdx

@@ -74,9 +74,12 @@ Your identity provider must support SCIM version 2.0.
 
 Setup instructions vary depending on the identity provider. In your identity provider, you will either need to edit the [original SSO application](#1-create-an-application-in-your-identity-provider) or create a new SCIM application. Refer to your identity provider's documentation for more details. For example instructions, refer to our [Okta](/cloudflare-one/identity/idp-integration/okta/#synchronize-users-and-groups) or [JumpCloud](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#synchronize-users-and-groups) guides.
 
-:::note
-If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-saml/#1-create-an-application-in-your-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
-:::
+#### IdP groups
+
+If you would like to build policies based on IdP groups:
+
+- Ensure that your IdP sends a `groups` field. The naming must match exactly (case insensitive). All other values will be sent as a SAML attribute.
+- If your IdP requires creating a new SCIM application, ensure that the groups in the SCIM application match the groups in the [original SSO application](/cloudflare-one/identity/idp-integration/generic-saml/#1-create-an-application-in-your-identity-provider). Because SCIM group membership updates will overwrite any groups in a user's identity, assigning the same groups to each app ensures consistent policy evaluation.
 
 ### 3. Verify SCIM provisioning
 

src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx

@@ -81,13 +81,15 @@ The JumpCloud integration allows you to synchronize user groups and automaticall
 
 1. In the [JumpCloud Admin Portal](https://console.jumpcloud.com/#/home), go to **SSO Applications**.
 2. Select the Cloudflare application that was created when you [Set up JumpCloud as a SAML provider](/cloudflare-one/identity/idp-integration/jumpcloud-saml/#set-up-jumpcloud-as-a-saml-provider).
-3. Select the **Identity Management** tab.
-4. Make sure that **Enable management of User Groups and Group Membership in this application** is turned on.
-5. Select **Configure**.
-6. In the **Base URL** field, enter the **SCIM Endpoint** obtained from Zero Trust.
-7. In the **Token Key** field, enter the **SCIM Secret** obtained from Zero Trust.
-8. Select **Activate**. You will receive a confirmation that the Identity Management integration has been successfully verified.
-9. Select **Save**.
+3. Select the **SSO** tab.
+3. To provision user groups, select **Include group attribute** and enter `groups`. The group attribute name has to exactly match `groups` or else it will be sent as a SAML attribute.
+5. Select the **Identity Management** tab.
+6. Make sure that **Enable management of User Groups and Group Membership in this application** is turned on.
+7. Select **Configure**.
+8. In the **Base URL** field, enter the **SCIM Endpoint** obtained from Zero Trust.
+9. In the **Token Key** field, enter the **SCIM Secret** obtained from Zero Trust.
+10. Select **Activate**. You will receive a confirmation that the Identity Management integration has been successfully verified.
+11. Select **Save**.
 
 <Render file="access/verify-scim-provisioning"/>