There are probably many different possibilities, but we know about two.

  • In conjunction with “OneLogin SAML SSO” (currently described in our SSO support doc, the “Advance Access Manager” plugin can be used and the base version is both free and very flexible.  It would help you define additional roles which you could then use in WordPress with the “OneLogin SAML SSO” to map to workgroup(s). It takes quite a bit more configuration, but looks promising. See our setup guide “Integration SSO With WorkGroup” to get started with this option.
  • SAML Single Sign On – SAML SSO Login” used in conjunction with the ‘Advanced Role Mapping’ user plugin that provides similar features.

Both require an SP (Service Provider) IDP with elevated privileges to expose Stanford Workgroup privileges in the SSO reply document when user log in.  Both provide the ability to create new roles for which WordPress is aware.