descope · dorsha · Jan 12, 2026 · Jan 11, 2026 · Jan 11, 2026 · Jan 11, 2026
diff --git a/descope/management/sso_settings.py b/descope/management/sso_settings.py
@@ -92,6 +92,9 @@ def __init__(
         prompt: Optional[List[str]] = None,
         grant_type: Optional[str] = None,
         issuer: Optional[str] = None,
+        groups_priority: Optional[
+            List[str]
+        ] = None,  # list of group names in priority order (first = highest priority)
     ):
         self.name = name
         self.client_id = client_id
@@ -108,6 +111,7 @@ def __init__(
         self.prompt = prompt
         self.grant_type = grant_type
         self.issuer = issuer
+        self.groups_priority = groups_priority
 
 
 class SSOSAMLSettings:
@@ -124,6 +128,9 @@ def __init__(
         role_mappings: Optional[List[RoleMapping]] = None,
         default_sso_roles: Optional[List[str]] = None,
         idp_additional_certs: Optional[List[str]] = None,
+        groups_priority: Optional[
+            List[str]
+        ] = None,  # list of group names in priority order (first = highest priority)
         # NOTICE - the following fields should be overridden only in case of SSO migration, otherwise, do not modify these fields
         sp_acs_url: Optional[str] = None,
         sp_entity_id: Optional[str] = None,
@@ -137,6 +144,7 @@ def __init__(
         self.idp_additional_certs = idp_additional_certs
         self.sp_acs_url = sp_acs_url
         self.sp_entity_id = sp_entity_id
+        self.groups_priority = groups_priority
 
 
 class SSOSAMLSettingsByMetadata:
@@ -150,6 +158,9 @@ def __init__(
         attribute_mapping: Optional[AttributeMapping] = None,
         role_mappings: Optional[List[RoleMapping]] = None,
         default_sso_roles: Optional[List[str]] = None,
+        groups_priority: Optional[
+            List[str]
+        ] = None,  # list of group names in priority order (first = highest priority)
         # NOTICE - the following fields should be overridden only in case of SSO migration, otherwise, do not modify these fields
         sp_acs_url: Optional[str] = None,
         sp_entity_id: Optional[str] = None,
@@ -160,6 +171,7 @@ def __init__(
         self.default_sso_roles = default_sso_roles
         self.sp_acs_url = sp_acs_url
         self.sp_entity_id = sp_entity_id
+        self.groups_priority = groups_priority
 
 
 class SSOSettings(HTTPBase):
@@ -516,6 +528,7 @@ def _compose_configure_oidc_settings_body(
                 "prompt": settings.prompt,
                 "grantType": settings.grant_type,
                 "issuer": settings.issuer,
+                "groupsPriority": settings.groups_priority,
             },
             "domains": domains,
         }
@@ -547,6 +560,7 @@ def _compose_configure_saml_settings_body(
                     settings.role_mappings
                 ),
                 "defaultSSORoles": settings.default_sso_roles,
+                "groupsPriority": settings.groups_priority,
             },
             "redirectUrl": redirect_url,
             "domains": domains,
@@ -576,6 +590,7 @@ def _compose_configure_saml_settings_by_metadata_body(
                     settings.role_mappings
                 ),
                 "defaultSSORoles": settings.default_sso_roles,
+                "groupsPriority": settings.groups_priority,
             },
             "redirectUrl": redirect_url,
             "domains": domains,

diff --git a/descope/management/user.py b/descope/management/user.py
@@ -1082,7 +1082,12 @@ def update_email(
         """
         response = self._http.post(
             MgmtV1.user_update_email_path,
-            body={"loginId": login_id, "email": email, "verified": verified, "failOnConflict": fail_on_conflict},
+            body={
+                "loginId": login_id,
+                "email": email,
+                "verified": verified,
+                "failOnConflict": fail_on_conflict,
+            },
         )
         return response.json()
 
@@ -1112,7 +1117,12 @@ def update_phone(
         """
         response = self._http.post(
             MgmtV1.user_update_phone_path,
-            body={"loginId": login_id, "phone": phone, "verified": verified, "failOnConflict": fail_on_conflict},
+            body={
+                "loginId": login_id,
+                "phone": phone,
+                "verified": verified,
+                "failOnConflict": fail_on_conflict,
+            },
         )
         return response.json()
 

diff --git a/samples/management/sso_sample_app.py b/samples/management/sso_sample_app.py
@@ -47,6 +47,7 @@ def main():
                     verified_phone="verifiedPhone",
                     picture="picture",
                 ),
+                groups_priority=["admin_group", "user_group"],
             )
             descope_client.mgmt.sso.configure_oidc_settings(tenant_id, settings)
         except AuthException as e:
@@ -76,6 +77,7 @@ def main():
                     group="groups",
                 ),
                 role_mappings=[RoleMapping(groups=["grp1"], role_name="rl1")],
+                groups_priority=["admin_group", "user_group"],
             )
             descope_client.mgmt.sso.configure_saml_settings(tenant_id, settings)
         except AuthException as e:
@@ -103,6 +105,7 @@ def main():
                     group="groups",
                 ),
                 role_mappings=[RoleMapping(groups=["grp1"], role_name="rl1")],
+                groups_priority=["admin_group", "user_group"],
             )
             descope_client.mgmt.sso.configure_saml_settings_by_metadata(
                 tenant_id, settings, domains=["kuki.com"]

diff --git a/tests/management/test_sso_settings.py b/tests/management/test_sso_settings.py
@@ -174,6 +174,7 @@ def test_configure_oidc_settings(self):
                             verified_phone="verifiedPhone",
                             picture="picture",
                         ),
+                        groups_priority=["group1"],
                     ),
                     ["domain.com"],
                 )
@@ -216,6 +217,7 @@ def test_configure_oidc_settings(self):
                             "verifiedPhone": "verifiedPhone",
                             "picture": "picture",
                         },
+                        "groupsPriority": ["group1"],
                     },
                     "domains": ["domain.com"],
                 },
@@ -275,6 +277,7 @@ def test_configure_saml_settings(self):
                         sp_acs_url="http://spacsurl.com",
                         sp_entity_id="spentityid",
                         default_sso_roles=["aa", "bb"],
+                        groups_priority=["group1"],
                     ),
                     "https://redirect.com",
                     ["domain.com"],
@@ -310,6 +313,7 @@ def test_configure_saml_settings(self):
                         "spACSUrl": "http://spacsurl.com",
                         "spEntityId": "spentityid",
                         "defaultSSORoles": ["aa", "bb"],
+                        "groupsPriority": ["group1"],
                     },
                     "redirectUrl": "https://redirect.com",
                     "domains": ["domain.com"],
@@ -361,6 +365,7 @@ def test_configure_saml_settings_by_metadata(self):
                         sp_acs_url="http://spacsurl.com",
                         sp_entity_id="spentityid",
                         default_sso_roles=["aa", "bb"],
+                        groups_priority=["group1"],
                     ),
                     "https://redirect.com",
                     ["domain.com"],
@@ -393,6 +398,7 @@ def test_configure_saml_settings_by_metadata(self):
                         "spACSUrl": "http://spacsurl.com",
                         "spEntityId": "spentityid",
                         "defaultSSORoles": ["aa", "bb"],
+                        "groupsPriority": ["group1"],
                     },
                     "redirectUrl": "https://redirect.com",
                     "domains": ["domain.com"],
@@ -427,6 +433,7 @@ def test_configure_saml_settings_with_additional_certs(self):
                         ),
                         role_mappings=[RoleMapping(groups=["grp1"], role_name="rl1")],
                         default_sso_roles=["aa", "bb"],
+                        groups_priority=["group1"],
                     ),
                     "https://redirect.com",
                     ["domain.com"],
@@ -462,6 +469,7 @@ def test_configure_saml_settings_with_additional_certs(self):
                         "spACSUrl": None,
                         "spEntityId": None,
                         "defaultSSORoles": ["aa", "bb"],
+                        "groupsPriority": ["group1"],
                     },
                     "redirectUrl": "https://redirect.com",
                     "domains": ["domain.com"],