When a user is provisioned into a GitLab.com group with SSO, we add them as a Guest and rely on the group Owner to adjust their permissions appropriately. Instead, we should be able to configure and map the assertions we receive from the identity provider and automatically grant the user an appropriate role in the group and any relevant subgroups. We do this for LDAP, we should be able to do something similar for SAML.