Set permissions when signing in with SAML SSO
Overview
Currently, SAML SSO solves the authentication problem. We need to extend it to solve for authorization. A group Owner should be able to set an attribute on their configured identity provider and map permissions in a group to the user when they sign in.
This can behave very similarly to LDAP group sync. We can start with setting a role (Guest/Reporter/Developer/Maintainer/Owner) on the top-level group and consider subgroup mapping in a later iteration.