SSO in AEM with Okta integration and use AEM CUG to authorize the user after successful authentication in Okta

Hi Team,

Good Morning/Afternoon.

We have a login based application. We need to implement SSO in AEM with Okta integration and use AEM CUG to authorize the user for the page 

We are able to implement SSO in AEM with Okta. But, there is one issue with CUG.

When user requests any AEM  page, user will be redirected to Okta login page for authentication.  

After success-full authentication in Okta, user will be created in AEM.  In Okta SAML assertion response we are not getting user groups list .
We need to call Third party API for users list. At the same time we need  use CUG concept ( closed user group ) for authorization purpose .

I thought of two solutions

1. Use custom authentication handler

Once custom authentication handler triggers,  get the user I’d from Okta SAML assertion response and make third party api call to get the user groups list. 
And then create the user and assign the user to groups.

2. Use sling filter

Once sling filter triggers get the login user I’d and make an api call to get the user groups . Then assign the user to groups.
This is under impression that sling filter triggers first before CUG concept 

I tried sling filter approach . For the same page, first 2 requests it gave 404 and third time am able to access the page. It happened for all the sample users in Okta. 

Not sure why first 2 times I got 404 and third time it worked. Any idea/help on this ?

Is custom authentication handler is help full in this scenario?

Any help/info is much appreciated . Thanks in advance.