The ID Token does not contain the group information. However, The policies can not be triggered based on group membership, when using SiteMinder as identity store. 

Using Siteminder Authenticator: SiteMinder as a Password Authenticator

Application's ID store configured to use the SiteMinder Identity Provider

Request submitted with scopes: urn:iam:at:groups urn:iam:it:groups

When the user is not a member to any groups, both access and ID token contain:

    "hasgroups": true,
    "groups": [""],

However, when the user is member of some groups, both attributes are missing. Expected behavior is for the "groups" attribute to contain an array of groups.

SiteMinder Provider Configuration:

{    "securityMethod": "jwtbearer",    "certAlias": "bnym-root-ca",    "url": "{{sag_url}}",    "providerProperties": [      {"name":"spi.discover.capabilities", "value":"smpasswordauthenticator"},      {"name":"spi.description", "value":"SiteMinder password authentication"},      {"name": "appId", "value": "<############>" },      {"name":"subject", "value":"<UID>"},      {"name":"passwordProtectedResourceFilter", "value":"/loginservice"},      {"name":"jwtProtectedResourceFilter", "value":"/jwt"},      {"name":"effectiveIdentitySourceId", "value":"{{config_id_ldap_primary}}"},      {"name":"attributeMapping", "value":"user_loginid=SMUNIVERSALID, user_dn=SMUSERDN, email=mail, phone_number=telephoneNumber, status=SMAUTHREASON, SMUSERLOGINFAILURESCOUNT=SMUSERLOGINFAILURESCOUNT, effectiveIdentitySourceId=effectiveIdentitySourceId"},      {"name":"userLoginIdAttributeMappingName", "value":"user_loginid"},      {"name":"groupAttributeMapping", "value":"name=SMUSERDN, members=SMUSERGROUPS"}    ],    "ignoreSSLValidation": true,    "spiReadTimeoutMillis": "60000",    "spiConnectTimeoutMillis": "60000",    "version": "1.0"} 

response from SAG when a user is not a member of any groups:

UserGetter Response{    "message": "Authentication Successful",    "resultCode": "LOGIN_SUCCESS",    "userPasswordMessage": null,    "authenticationResponses": {        "response": [{            "name": "SMUSERDN",            "value": "uid=<UID>,cn=People,ou=Internal"        }, {            "name": "SMAUTHREASON",            "value": "0"        }, . . . {            "name": "SMUSER",            "value": "uid=<UID>,cn=People,ou=Internal"        }, {            "name": "SMUSERGROUPS",            "value": ""        }, . . . ]    }} 

Response from SAG when a user is a member to some groups:

UserGetter Response{    "message": "Authentication Successful",    "resultCode": "LOGIN_SUCCESS",    "userPasswordMessage": null,    "authenticationResponses": {        "response": [{            "name": "SMUSERDN",            "value": "uid=<UID>,cn=People,ou=Internal"        }, {            "name": "SMAUTHREASON",            "value": "0"        },  . . . {            "name": "SMREALM",            "value": "/jwt"        }, {            "name": "SMUSER",            "value": "uid=<UID>,cn=People,ou=Internal"        }, {            "name": "SMUSERGROUPS",            "value": "PUPM##########################"        },  . . . ]    }} 

Release : VIP Authentication Hub 2.1.2+1030

The attached document covers the App configuration to get the Group in IT and AT tokens.