Nice! For my use case I need the ability to use multiple groups, so I ended up going with the provider, username and attribute filtering. The only SAML app I have is Omada, so it's a moot point. Idk if it would interfere with other SAML apps or if there is a way to bind the SAML property mappings to specific users/apps/groups?

  @baudneo In the SAML provider you assign the property mappings you want to use. In other words: If a property mappings is specific to one SAML App or common to all SAML Apps is defined by your assignments.
The authentik integration update changed the group property mapping name from usergroup_name to omada_usergroup_name for the sake of a namespace specific to Omada.