diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
index 2192a62..e4cd635 100644
--- a/chart/templates/uds-package.yaml
+++ b/chart/templates/uds-package.yaml
@@ -28,6 +28,13 @@ spec:
         - "mapper-saml-grouplist-groups"
         - "mapper-saml-username-name"
       {{- end }}
+      groups:
+        anyOf:
+        {{- if .Values.sso.requiredGroups }}
+          {{- range .Values.sso.requiredGroups }}
+            - "{{ . }}"
+          {{- end }}
+        {{- end }}
 
       attributes:
         saml.client.signature: "false"
diff --git a/chart/values.yaml b/chart/values.yaml
index f0790ba..2d5611c 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -9,7 +9,8 @@ sso:
   # protocol should be either 'saml' or 'openid_connect'
   protocol: saml
   # This will replace the current list of default client scopes.
-  defaultClientScopes: {}
+  defaultClientScopes: []
+  requiredGroups: []
 
 # customNetworkPolicies:
 #    # Notice no `remoteGenerated` field here on custom internal rule