Hey, Please bear with me as I am quite new at this stuff and I am still struggling with getting to grips with all the terms and relationships in Keycloak. I am trying to set up Keycloak realm to use Google OIDC IDP and whole setting up oidc login flow was rather straight forward, there are still few things I can not figure out. First - I want to limit set of users who can gain access to a single google hosted domain. The google identity token contains a claim called ‘hd’ but I can’t figure out how can I use it to limit/restrict logins from other google hosted domains. I suppose it should be part of initial login flow, but I can’t really see how or where should I configure this. (Google oidc endpoint also supports a proprietary argument with the same name that should be used to restrict google account selection dialogue to only the specified hosted domain, but again, I do not see where I can hard code it’s value for an IDP authentication request) Second. How do I get google domain groups for the authenticated users? They are not returned as user claims in a token. Google’s documentation suggests I need to ask google directory services for that information. Has anyone managed to integrate google hosted domains with Keycloak ad do you have a recepie for how one can fetch google group memberships for logged in users into Keycloak.? Roland