replied on April 21, 2020
Unless you are using the proxied providers feature (designed for existing Windows users to switch to SAML authenticate), you can leave the setting on "None" rather than AD SID or LDAP distinguished name. We will be updating the label to be clearer in the future.
For Okta, the default attribute name is "group", but I believe Okta does not include the group attribute by default --- it must be enabled by an administrator. See https://help.okta.com/en/prod/Content/Topics/Apps/attribute-statements-saml.htm for instructions.
You can verify whether the attribute is on the token by using the SAML token interception instructions in the documentation.