An enterprise subscription is required for the groups option. Organizations should be used as groups. If there are overlapping access control requirements the groups option can be used instead.
To use user groups all singe sign-on users must be in one organization. The organization then needs to be attached to all servers. Then the groups option in each server can be configured to select which user groups will have access to that server.
To apply user groups the following commands will switch the single sign-on from matching organizations to copying the groups from the single sign-on provider to the Pritunl user. For SAML providers the groups SAML attribute can be used to set the user groups.
sudo pritunl set app.sso_azure_mode '"groups"'
sudo pritunl set app.sso_authzero_mode '"groups"'
sudo pritunl set app.sso_google_mode '"groups"'
It is also possible to manually set user groups in the user settings but this would be overwritten if the user is using single sign-on.