From 468fe5786563538204844e3f2f3826e0b21058cd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Elliot=20Morales=20Sol=C3=A9?=
 <5107985+elliotmoso@users.noreply.github.com>
Date: Thu, 30 Jan 2025 12:19:51 +0100
Subject: [PATCH] Update sso.md

---
 docs/features/sso.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/docs/features/sso.md b/docs/features/sso.md
index f5e3260..1125d9a 100644
--- a/docs/features/sso.md
+++ b/docs/features/sso.md
@@ -75,6 +75,24 @@ If changing the role of a logged in user, they will need to log out and log back
 
 :::
 
+### OAuth Group Management
+
+Any OAuth provider that can be configured to return groups in the access token can be used to manage user groups in Open WebUI.
+To use this feature set `ENABLE_OAUTH_GROUP_MANAGEMENT` to `true`.
+You can configure the following environment variables to match the groups returned by the OAuth provider:
+
+1. `OAUTH_GROUP_CLAIM` - The claim that contains the groups. Defaults to `groups`. Can also be nested, for example `user.memberOf`.
+
+:::warning
+Admin users do not get their groups updated
+:::
+
+:::info
+
+If changing the group of a logged in user, they will need to log out and log back in to receive the new group.
+
+:::
+
 ## Trusted Header
 
 Open WebUI is able to delegate authentication to an authenticating reverse proxy that passes in the user's details in HTTP headers.