I think this is a good idea.

Would the concept here be if a group in pagure is selected to be linked to a FAS group, that you can't add members in the Pagure UI, the assumption is that you add them in the FAS UI? or do we cant to support adding members to the FAS group in the pagure UI?

You can also have whatever is doing authentication, present group membership information and pagure wouldn't need to know who all is in each group, only the membership for authenticated users. This is how things are typically done in the saml world.

Whatever does the authentication at the moment already supports groups so there is no the issue there.

The reason why it is not using these groups is simply that pagure is meant to support also self-hosting, as such it support having local user account and has code to handle the authentication, in which case the sources of the groups is pagure itself.
It was therefore just simpler to keep this behavior everywhere.

In case of self-hosting, it may be interesting to sync group membership thanks to a LDAP connector.

There are either two ways to do it:
1- at login time, query LDAP to update user group membership in pagure database
2- a background task syncs regularly group membership for known users in pagure database

I think being able to use groups defined remotely is going to be useful for enterprises self hosting on Pagure. I think there is more important stuff to work on, but it should be in future plans.

Ok, I have taken a first stab at this in #1098

If the pagure instance is configured for it, any group can be added to a project and users are added to groups upon their login (which means: if a new group is added, people will have to re-login for their membership to be updated).

PR #1098 has been reviewed and merged :)