patch: make groups scope optional to support azure with OIDC (#9773)

[channolanp]

Ticket

CM-407

Description

Draft for customer demo requiring Azure/Entra auth only

Test Plan

Tested and merged into main for 0.35.0 release already

Checklist

• Changes have been manually QA'd
• New features have been approved by the corresponding PM
• User-facing API changes have the "User-facing API Change" label
• Release notes have been added as a separate file under docs/release-notes/
  See Release Note for details.
• Licenses have been included for new code which was copied and/or modified from any external code

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 52.21%. Comparing base (ede2396) to head (59a443f).

Additional details and impacted files

@@                Coverage Diff                 @@
##           release-0.34.0    #9778      +/-   ##
==================================================
+ Coverage           49.83%   52.21%   +2.37%     
==================================================
  Files                1247      753     -494     
  Lines              162284   112450   -49834     
  Branches             2887     2888       +1     
==================================================
- Hits                80878    58712   -22166     
+ Misses              81234    53566   -27668     
  Partials              172      172              

Flag	Coverage Δ
backend	34.25% <ø> (-9.75%)	⬇️
harness	63.74% <ø> (ø)
web	46.16% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 495 files with indirect coverage changes

[tara-det-ai]

Suggested change

	**NOTE:** ``resource_manager.cluster_name`` is separate from the ``cluster_name`` field of the
	.. note::
	The `resource_manager.cluster_name` is distinct from the `cluster_name` field in the master configuration, which provides a readable name for the Determined deployment.

[tara-det-ai]

Suggested change

master config that provides a readable name for the Determined deployment.

[tara-det-ai]

Suggested change

	Specifies if this OIDC provider should be used for authentication, bypassing the standard Determined
	Specifies whether this OIDC provider should be used for authentication, bypassing the standard Determined

[tara-det-ai]

Suggested change

	sign-in page. This redirection persists unless the user explicitly signs out within the WebUI. If an
	sign-in page. This redirection persists unless the user explicitly signs out via the WebUI. If an

[tara-det-ai]

Suggested change

	SSO user attempts to use an expired session token, they are directly redirected to the SSO provider
	SSO user attempts to use an expired session token, they will be redirected to the SSO provider

[tara-det-ai]

Suggested change

	Specifies if the groups scope should be excluded for this OIDC provider. For most OIDC providers
	Indicates whether the groups scope should be excluded for this OIDC provider. For most OIDC providers

[tara-det-ai]

Suggested change

	such as Okta, this should be false (or blank) if you'd like to provision group memberships. But for
	such as Okta, this should be set to false (or blank) if you want to provision group memberships. However, for

[tara-det-ai]

Suggested change

	Specifies if this SAML provider should be used for authentication, bypassing the standard Determined
	Specifies whether this SAML provider should be used for authentication, bypassing the standard Determined

[tara-det-ai]

Suggested change

	sign-in page. This redirection persists unless the user explicitly signs out within the WebUI. If a
	sign-in page. This redirection persists unless the user explicitly signs out via the WebUI. If a

[tara-det-ai]

Suggested change

	SSO user attempts to use an expired session token, they are directly redirected to the SAML provider
	SSO user attempts to use an expired session token, they will be redirected to the SAML provider

[tara-det-ai]

added suggestions