The ID Token does not contain the group information. However, we are not able to trigger policies, based on group membership, when using SiteMinder as identity store. I think those problems are related, on how groups are resolved in SiteMinder identity store.

Using Siteminder Authenticator: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/vip-authentication-hub/2-1/Using/Authentication-services/factor-services/Password-Authentication/sm-as-a-password-authenticator.html

Application's ID store configured to use the SiteMinder Identity Provider

Request submitted with scopes: urn:iam:at:groups urn:iam:it:groups

When the user is not a member to any groups, both access and ID token contain:

    "hasgroups": true,
    "groups": [""],

However, when the user is member of some groups, both attributes are missing. Expected behavior is for the "groups" attribute to contain an array of groups.

SiteMinder Provider Configuration:

{    "securityMethod": "jwtbearer",    "certAlias": "bnym-root-ca",    "url": "{{sag_url}}",    "providerProperties": [      {"name":"spi.discover.capabilities", "value":"smpasswordauthenticator"},      {"name":"spi.description", "value":"SiteMinder password authentication"},      {"name": "appId", "value": "zwaproxyauthhub" },      {"name":"subject", "value":"AUHM04M"},      {"name":"passwordProtectedResourceFilter", "value":"/loginservice"},      {"name":"jwtProtectedResourceFilter", "value":"/jwt"},      {"name":"effectiveIdentitySourceId", "value":"{{config_id_ldap_primary}}"},      {"name":"attributeMapping", "value":"user_loginid=SMUNIVERSALID, user_dn=SMUSERDN, email=mail, phone_number=telephoneNumber, status=SMAUTHREASON, SMUSERLOGINFAILURESCOUNT=SMUSERLOGINFAILURESCOUNT, effectiveIdentitySourceId=effectiveIdentitySourceId"},      {"name":"userLoginIdAttributeMappingName", "value":"user_loginid"},      {"name":"groupAttributeMapping", "value":"name=SMUSERDN, members=SMUSERGROUPS"}    ],    "ignoreSSLValidation": true,    "spiReadTimeoutMillis": "60000",    "spiConnectTimeoutMillis": "60000",    "version": "1.0"} 

response from SAG when a user is not a member of any groups:

UserGetter Response{    "message": "Authentication Successful",    "resultCode": "LOGIN_SUCCESS",    "userPasswordMessage": null,    "authenticationResponses": {        "response": [{            "name": "SMUSERDN",            "value": "uid=AUHM001,cn=People,ou=Internal,o=mfc"        }, {            "name": "SMAUTHREASON",            "value": "0"        }, . . . {            "name": "SMUSER",            "value": "uid=AUHM001,cn=People,ou=Internal,o=mfc"        }, {            "name": "SMUSERGROUPS",            "value": ""        }, . . . ]    }} 

Response from SAG when a user is a member to some groups:

UserGetter Response{    "message": "Authentication Successful",    "resultCode": "LOGIN_SUCCESS",    "userPasswordMessage": null,    "authenticationResponses": {        "response": [{            "name": "SMUSERDN",            "value": "uid=XEDD2HN,cn=People,ou=Internal,o=mfc"        }, {            "name": "SMAUTHREASON",            "value": "0"        },  . . . {            "name": "SMREALM",            "value": "/jwt"        }, {            "name": "SMUSER",            "value": "uid=XEDD2HN,cn=People,ou=Internal,o=mfc"        }, {            "name": "SMUSERGROUPS",            "value": "PUPM^NEXENAPI^ESF^ES1^WA1Editor^TOA^UDSStatic^PN1Admin^PN1Crypto^CWM^Juniper_VPN^APEX_Pipeline^DAE_USERS^FX_ADMIN^ESF Sample^NCX^WA1Admin^IWA^MOO-EventMgmt-Opr^EDY^OPD^MARKETPLACE^NGE^DP_TLU_GSP_USR^UMT Users^UMT^AUHAdmin^Veracode"        },  . . . ]    }} 

Release : VIP Authentication Hub 2.1.2+1030

The attached document covers the App configuration to get the Group in IT and AT tokens.