coder
diff --git a/‎coderd/coderdtest/uuids.go
+21 b/‎coderd/coderdtest/uuids.go
+21
diff --git a/‎coderd/database/dbmem/dbmem.go
+16-1 b/‎coderd/database/dbmem/dbmem.go
+16-1
diff --git a/‎coderd/idpsync/group.go
+20-3 b/‎coderd/idpsync/group.go
+20-3
@@ -0,0 +1,21 @@
+package coderdtest
+
+import "github.com/google/uuid"
+
+type DeterministicUUIDGenerator struct {
+	Named map[string]uuid.UUID
+}
+
+func NewDeterministicUUIDGenerator() *DeterministicUUIDGenerator {
+	return &DeterministicUUIDGenerator{
+		Named: make(map[string]uuid.UUID),
+	}
+}
+
+func (d *DeterministicUUIDGenerator) ID(name string) uuid.UUID {
+	if v, ok := d.Named[name]; ok {
+		return v
+	}
+	d.Named[name] = uuid.New()
+	return d.Named[name]
+}
@@ -7643,7 +7643,22 @@ func (q *FakeQuerier) RemoveUserFromGroups(ctx context.Context, arg database.Rem
 		return nil, err
 	}
 
-	panic("not implemented")
+	q.mutex.Lock()
+	defer q.mutex.Unlock()
+
+	removed := make([]uuid.UUID, 0)
+	q.data.groupMembers = slices.DeleteFunc(q.data.groupMembers, func(groupMember database.GroupMemberTable) bool {
+		if groupMember.UserID != arg.UserID {
+			return false
+		}
+		if !slices.Contains(arg.GroupIds, groupMember.GroupID) {
+			return false
+		}
+		removed = append(removed, groupMember.GroupID)
+		return true
+	})
+
+	return removed, nil
 }
 
 func (q *FakeQuerier) RevokeDBCryptKey(_ context.Context, activeKeyDigest string) error {
 
@@ -2,6 +2,7 @@ package idpsync
 
 import (
 	"context"
+	"encoding/json"
 	"regexp"
 
 	"github.com/golang-jwt/jwt/v4"
@@ -12,6 +13,7 @@ import (
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/db2sdk"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
+	"github.com/coder/coder/v2/coderd/runtimeconfig"
 	"github.com/coder/coder/v2/coderd/util/slice"
 )
 
@@ -32,7 +34,6 @@ func (s AGPLIDPSync) ParseGroupClaims(_ context.Context, _ jwt.MapClaims) (Group
 	}, nil
 }
 
-// TODO: Group allowlist behavior should probably happen at this step.
 func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user database.User, params GroupParams) error {
 	// Nothing happens if sync is not enabled
 	if !params.SyncEnabled {
@@ -43,6 +44,8 @@ func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user dat
 	ctx = dbauthz.AsSystemRestricted(ctx)
 
 	db.InTx(func(tx database.Store) error {
+		manager := runtimeconfig.NewStoreManager(tx)
+
 		userGroups, err := tx.GetGroups(ctx, database.GetGroupsParams{
 			HasMemberID: user.ID,
 		})
@@ -60,12 +63,12 @@ func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user dat
 		// For each org, we need to fetch the sync settings
 		orgSettings := make(map[uuid.UUID]GroupSyncSettings)
 		for orgID := range userOrgs {
-			orgResolver := s.Manager.Scoped(orgID.String())
+			orgResolver := manager.Scoped(orgID.String())
 			settings, err := s.SyncSettings.Group.Resolve(ctx, orgResolver)
 			if err != nil {
 				return xerrors.Errorf("resolve group sync settings: %w", err)
 			}
-			orgSettings[orgID] = settings.Value
+			orgSettings[orgID] = *settings
 		}
 
 		// collect all diffs to do 1 sql update for all orgs
@@ -177,6 +180,20 @@ type GroupSyncSettings struct {
 	AutoCreateMissingGroups bool                   `json:"auto_create_missing_groups"`
 }
 
+func (s *GroupSyncSettings) Set(v string) error {
+	return json.Unmarshal([]byte(v), s)
+}
+func (s *GroupSyncSettings) String() string {
+	v, err := json.Marshal(s)
+	if err != nil {
+		return "decode failed: " + err.Error()
+	}
+	return string(v)
+}
+func (s *GroupSyncSettings) Type() string {
+	return "GroupSyncSettings"
+}
+
 type ExpectedGroup struct {
 	GroupID   *uuid.UUID
 	GroupName *string