Yes I read that. The only issue that seemed odd to me is that for the OIDC in GSuite to be able to fetch the google groups membership you have to go through an elaborate process via GSuite Workspace, create a service account and so on. In any case I think I will go with entities and entity aliases naming each of my entity by its corresponding GSuite email.
What are the roles trying to segment in the vault console? Here is an example of an SSH key signing role that we used with OIDC. It allows users to login only as their ID on a server where their Auth principle is provisioned.