I would like to create an spi implementation to allow custom group / role mapper, but authenticate using standard ldap user federation. this custom mapping would involve a connection to a separate DB, which has already been populated by internal tooling and would identify the user using the same unique reference. I can find example for altering the user storage, but not groups / role mappings where standard user federation has been used. is this possible? many thanks Simon.