RBAC doesn't include realm name and authenticator right now, just a group in the realm, which may lead to collision if groups in different realms/authenticators named in the same way but should have different access privileges, for e.g. you have a group in Github Org named devs and you also use another authenticator that has a group with the same name but including people those are not allowed to access.
Thus in order to avoid collision/leak subjects in clusterRoleBinding should look like this:

subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: Authenticator/Realm/GroupName