Even though users are able to authenticate via SSO, they are not automatically assigned to teams based on the groups claim. As a result, they receive a 403 Forbidden error on login unless we manually assign them to a team via the Dependency-Track UI.

This is not the expected behavior, especially since team assignment via OIDC group claims should be automatic when the relevant environment variables are configured.

Below are the configurations used

• name: ALPINE_OIDC_ENABLED
  value: "true"
• name: ALPINE_OIDC_ISSUER
  value: "<https://login.microsoftonline.com//v2.0>"
• name: ALPINE_OIDC_CLIENT_ID
  value: ""
• name: ALPINE_OIDC_USERNAME_CLAIM
  value: "preferred_username"
• name: ALPINE_OIDC_USER_PROVISIONING
  value: "true"
• name: ALPINE_OIDC_TEAMS_CLAIM
  value: "groups"
• name: ALPINE_OIDC_VIEWER_GROUPS
  value: "xxxxx-xxxxx-xxxx-xx-xxxxx"
• name: ALPINE_OIDC_SYNCHRONIZATION
  value: "true"
• name: ALPINE_OIDC_FETCH_GROUPS
  value: "true"
• name: ALPINE_OIDC_DEFAULT_TEAMS
  value: "Automation"

Please help on this, users are getting forbidden

We would appreciate your help in understanding:
Whether ALPINE_OIDC_TEAMS_CLAIM=groups supports group object IDs from Entra ID, or if group names are expected?
Are we missing any additional configurations needed to map Entra ID group claims correctly to Dependency-Track teams?