diff --git a/docs/assets/screenshots/sso/oidc-custom-claims.png b/docs/assets/screenshots/sso/oidc-custom-claims.png
new file mode 100644
index 000000000..842b7c67d
Binary files /dev/null and b/docs/assets/screenshots/sso/oidc-custom-claims.png differ
diff --git a/docs/integrations/cloud-providers/oidc/README.md b/docs/integrations/cloud-providers/oidc/README.md
index 6b5e8d4c0..5d7b23289 100644
--- a/docs/integrations/cloud-providers/oidc/README.md
+++ b/docs/integrations/cloud-providers/oidc/README.md
@@ -95,6 +95,27 @@ The only exceptions are tracked runs whose stack is not set to [autodeploy](../.
 
 The scope claim, as well as other claims presented by the Spacelift token, are merely advisory. It depends on you whether you want to control access to your external service provider based on the scope of the token or on some other claim like space, caller, or run type. In other words, Spacelift gives you the data and it's up to you to decide how to use it.
 
+## Custom Claims Mapping for Groups
+
+Some identity providers use non-standard claim names for user group membership. For example:
+
+- **AWS Cognito** uses `cognito:groups` instead of the standard `groups` claim
+- **Google Workspace** does not include group membership in OIDC tokens by default
+
+Spacelift allows you to map custom claims from your identity provider to the standard `groups` claim that Spacelift expects. This enables group-based access control even when your IdP doesn't follow the standard OIDC groups claim convention.
+
+### Configuring Custom Claims Mapping
+
+To configure custom claims mapping:
+
+1. Navigate to **Organization settings** → **Single Sign-On**
+2. In your OIDC configuration, look for the **Custom claims mapping** section
+3. Add a mapping for the `groups` claim:
+   - **Claim name in IdP**: Enter the custom claim name from your identity provider (e.g., `cognito:groups`)
+   - **Claim name in Spacelift**: Enter `groups`
+
+![Screenshot: OIDC configuration page showing custom claims mapping section](../../../assets/screenshots/sso/oidc-custom-claims.png)
+
 ## Use the Spacelift OIDC token
 
 You can follow our guidelines to see how to use the Spacelift OIDC token to authenticate with:
diff --git a/docs/product/changelog.md b/docs/product/changelog.md
index 5397756ad..46224be7a 100644
--- a/docs/product/changelog.md
+++ b/docs/product/changelog.md
@@ -15,6 +15,7 @@ description: Find out about the latest changes to Spacelift.
 ## Features
 
 - You can now create API keys via the TF provider. See the [API keys resource documentation](https://search.opentofu.org/provider/spacelift-io/spacelift/latest/docs/resources/api_key) for more information.
+- Added SSO OIDC claim mapping support. See the [custom claims mapping documentation](../integrations/cloud-providers/oidc/README.md#configuring-custom-claims-mapping) for more information.
 
 ## 2025-10-01