...
Ensure that the SAML metadata includes the GroupRepresentative element within the `<Extensions>` section of the SAML entity's `<IDPSSODescriptor>`. This element must contain a URL pointing to a JSON Web Signature ( JWS ) conforming to the specification, and it must also include the certificate used for the JWS signature validation.
...