We implemented LDAP group syncing for security groups which worked well for us for as we transitioned to SAML authentication to support passwordless logins and multi-factor authentication it does not function correctly. We need to the user to login via LDAP to update their groups or manual expand the groups for SAML users to update their LDAP group memberships.

I think long term it would be better to support SAML claims which can be used to replace LDAP group syncing and to dynamically populate security groups. This can be a 1:1 mapping or provide an option similar to LDAP groups where the security groups applies only if you are a member of all of the listed groups.