Hi! We’ve encountered a similar problem with SAML and group/role mappings. We’ve therefore implemented some code to synchronize the roles provided by SAML in the Role field (which must be set up manually) with the roles that are available in Zammad so that a user always has the exact matching roles. It’s also optional and off by default, so no one is forced to change something. The (not yet 100% ready) code is at GitHub - giz-berlin/zammad at feature/get-roles-from-saml. With role mapping, a mapping to groups should also be possible. Would this be useful?