TL;DR: Make the API reject user group creation/update requests when an invalid SSO ID is provided, instead of accepting it silently.

Today, the User Group API can accept create or update requests that contain an invalid SSO ID and still return a successful response. This creates the impression that the configuration worked correctly, even though the user group may not sync properly with the identity provider afterward.

The requested enhancement is to add validation so the API rejects requests when the provided SSO ID is invalid or does not exist for that account. Returning a clear error at the time of the API call would prevent silent misconfigurations, reduce troubleshooting, and make automated provisioning more reliable.