I don't think a custom connector back to Okta (or any other identity provider really) would be necessary to make this work. If the user has a valid SAML or OIDC session, then Passwordstate can assume that the user successfully authenticated with the IdP and was redirected back to the application. At that point, any claims (groups, email, name) that exist in the SAML token could be treated as valid, and if the user doesn't exist in the database at that time, add-in some logic to create their user account in the DB, and then update their group membership (add new groups that exist in the SAML ticket, remove any groups that don't exist in their SAML ticket).
I replied back to support and asked to have this thread moved over to the feature request section! Interested to see if they decide to move forward with developing this functionality or not!
