owner of identity provider (SAML) will use cloudfoundry-UAA to interact with my app / resource server. i have some resources that should be visible to every user that logged in successfully. so if there is a group that every user is automatically a member of - it would let me treat all permission-related cases uniformly
so: is there any group that is added to all users automatically? even for those users that log in using SAML? is it uaa.user? can we somehow distinguish users from different zones? like zone1.uaa.user?
You should be able to reliably use openid as an “all users” group. There should be other information in the token that will tell you what zone it was part of.