From 3ba2d12bdf754c1abf6ffc06e547ad7e2d40966c Mon Sep 17 00:00:00 2001
From: Saloni Gupta <saloni.gupta@hpe.com>
Date: Wed, 31 Jul 2024 13:51:15 -0700
Subject: [PATCH] add docs

---
 docs/reference/deploy/master-config-reference.rst | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/docs/reference/deploy/master-config-reference.rst b/docs/reference/deploy/master-config-reference.rst
index 55fe8ddd8088..db41ec7af54b 100644
--- a/docs/reference/deploy/master-config-reference.rst
+++ b/docs/reference/deploy/master-config-reference.rst
@@ -1753,6 +1753,7 @@ used for :ref:`remote user <remote-users>` management.
           groups_attribute_name: "XYZ"
           display_name_attribute_name: "XYZ"
           always_redirect: true
+          exclude_groups_scope: false
 
 ``enabled``
 ===========
@@ -1830,6 +1831,13 @@ sign-in page. This redirection persists unless the user explicitly signs out wit
 SSO user attempts to use an expired session token, they are directly redirected to the SSO provider
 and returned to the requested page after authentication.
 
+``exclude_groups_scope``
+========================
+
+Specifies if the groups scope should be excluded for this OIDC Provider. For most OIDC providers
+like Okta, this should be false (or blank) if you'd like to provision group memberships. But for
+some providers like Azure, which do not support groups scope, this should be set to false.
+
 **********
  ``saml``
 **********