Customer has integrated Concourse with SAML Authentication. But they are seeing users are not being given correct permission to teams based on their groups assigned and only very first group is detected.
Customer has checked the SAML token and could see that the token has multiple groups correctly. However, when user logs in to Concourse, Concourse gives permission to user based on the very first group only and ignores the rest of the groups.

The root cause is customer has configured GroupsDelim(groups_delim) in SAML auth configuration: 

    username_attr: "email"
    email_attr: "email"
    groups_attr: "groups"
    name_id_policy_format: "emailAddress"
    groups_delim: ";"

And in the SAML response from web.stdout.log, the groups is returning an array of group names instead of a single string that has multiple group names that concatenated by the delimiter.
 

/web.stdout.log:{"timestamp":"2023-06-19T07:58:49.933387133Z","level":"info","source":"atc","message":"atc.dex.event","data":{"fields":{},"message":"parsed and verified saml response attributes \"email\" = \xxx\, \"groups\" = [\"*AAA\" \"*BBB\" \"*CCC\" \"*DDD\"]","session":"15"}}

From the dex code and the doc of GroupsDelim:

	// If GroupsDelim is supplied the connector assumes groups are returned as a
	// single string instead of multiple attribute values. This delimiter will be
	// used split the groups string.
	GroupsDelim   string   `json:"groupsDelim"`

Thus ideally, to allow it to work, customer can remove the configure of group delimiter in concourse if they would like to keep the current format of groups in the token.