As an enterprise user of Strapi, we have found that the current SSO functionality (OIDC providers) lacks dynamic role mapping based on group claims. In large organizations, managing access across different software is challenging, and Strapi currently requires manual role updates or custom code to handle this.

Many enterprise OIDC providers (Azure AD, Okta, Keycloak, etc.) return group claims in the ID token or via the userinfo endpoint. Strapi should natively support mapping these external group claims to multiple Strapi roles and update them dynamically on every login.

Example Scenario:

• Group-to-role mapping:

• axxxx → Admin

• bxxxx → Editor

• cxxxx → Author

• First login: user belongs to ["axxxx", "bxxxx"] → roles: Admin + Editor

• Second login: user belongs to ["bxxxx", "cxxxx"] → roles: Editor + Author

This ensures roles always reflect the user’s current group membership and reduces the operational burden for enterprise IT teams.

Benefits for Enterprise Users:

• Dynamic, real-time role updates without custom code

• Consistent access management across multiple systems

• Support for multiple roles per user

• Works with any OIDC-compliant provider

Proposed UX / Implementation Idea:

• Allow defining group-to-role mappings per OIDC provider in the users-permissions plugin

• Automatically update user roles at login based on current group claims