Omniauth external_groups config

Hi. I’m running gitlab-ce 11.11.8.

Our current configuration sets everyone with “MEMBER” or “STUDENT” in eduPersonPrimaryAffiliation (urn:oid: as External.

In our LDAP config, we had a filter that would allow anyone in a certain ldap group to be an exception to that. So if a student got special permission to get standard access, we could add them to a group in ldap and they wouldn’t be marked External.

Is there any way to do something like that with omniauth (saml)? I’ve played with required_groups a bit in conjunction with external_groups, but I don’t see a way to say “if [user] is NOT in this group, mark them external.”