From ff355e01d457047a6a36e4dad0fe6d3c22ada597 Mon Sep 17 00:00:00 2001
From: fufesou <13586388+fufesou@users.noreply.github.com>
Date: Wed, 4 Feb 2026 13:33:12 +0800
Subject: [PATCH] Updated FAQ (markdown)

---
 FAQ.md | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/FAQ.md b/FAQ.md
index 7124697..6a7e6d1 100644
--- a/FAQ.md
+++ b/FAQ.md
@@ -1824,5 +1824,38 @@ e.g.
 
 https://github.com/rustdesk/rustdesk/discussions/14200
 
+# OIDC Map groups
+
+<img width="2160" height="1187" alt="image" src="https://github.com/user-attachments/assets/0eadfe30-4884-4e6e-9057-434dc78cb275" />
 
 
+OIDC Map Groups Behavior:
+
+When a user first logs in:
+  - Create any groups returned by OIDC that don't already exist.
+  - Assign the user to only one group (specifically, the last one in the OIDC response).
+
+Configurations:
+  - Okta https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/#add-a-groups-claim-for-the-org-authorization-server
+  - Azure https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims?tabs=manifest#configuring-group-optional-claims  
+    Returning group names (instead of IDs) requires setting these fields:
+           ```json
+              "groupMembershipClaims": "ApplicationGroup",
+              "optionalClaims": {
+                  "idToken": [
+                      {
+                          "name": "groups",
+                          "additionalProperties": [
+                              "sam_account_name",
+                              "cloud_displayname"
+                          ]
+                      }
+                  ]
+              }
+            ```
+
+  - Keycloak Clients -> (your client) -> Client scopes -> (clientid)-dedicated -> Mappers -> Add mappers -> By configuration -> Group Membership  
+              "Token Claim Name": "groups"
+  - Gitlab.
+    - The Private groups may also be returned in the "groups" claim.
+    - Active and inactive groups are all returned.
\ No newline at end of file