What will happen when an SSO/SAML user connects in terms of groups and accessing. I checked with my PingIdentity Team, and they can send back the 'existing AD groups' as stated below. Would these relationships between the user and access be honored?

Would it create the groups in the SSO tables inside the gtrep repository?

Would I have a naming overlap that would allow users the same access because it has the same name as AD Group?

Lastly, as you've requested to configure "Groups" SAML attribute, therefore, in the intake form please mention that on which prefix the team would like to apply the AD group filter. For instance, if your app AD groups are TSTDM_Suers, TSTDM_Admin etc. then we can apply filter on "TSTDM_" in this case any AD groups that the user belongs to in AD which starts with TSTDM_ will be passed in the SAML assertion.

The UserID coming from PingIdentity should match what is normally stored in the gtrep.security_user table SU_Name field, correct?

TDM Portal 4.10.96.0+

If your SSO is configured to pass the LDAP group assertions, TDM will pick up the AD/LDAP groups and populate them into the SAML group table in GTREP repository automatically. The TDM users associated with the SAML groups could have up to three user accounts depending on your configurations (Native TDM accounts, AD/LDAP accounts, and SAML accounts). Each account is managed by TDM in separate group tables, but each user account will show as individual entries in the gtrep.security_user table.

This is the expression pre-configured from PingIdentity to get Group Names.

This is the place where working with a PingIdentity expert might help with the AD/LDAP assertion into Ping, and perhaps determining the proper filter expression.

Note: Native, or AD/LDAP user accounts are required for accessing GT Datamaker, since GT Datamaker does not support the SAML user accounts.

For more information regarding configuring TDM Portal for SSO authentication, see SSO Authentication in TDM Portal