Tim
I was experiencing the same issue, then i found that for SAML you have to configure the app (in okta dashboard) to return the groups.
what’s really great about this approach is that you have control over which groups you want to return. so if you have groups like “VPN Users”, “Accounting”, along with app specific groups like “NinjaApp Admin”, “NinjaApp Basic”, etc, you can configure the app to only return the groups that start with NinjaApp. that way your NinjaApp doesn’t get corporate information like that the user is in the VPN group.