KB40723 - Custom expressions using group attribute fails with Standard (AD) Active Directory mode

This article describes an issue where role mapping are not applied when custom expressions using group attribute fails with Standard (AD) Active Directory mode.

After authentication, end users may not be mapped to the correct role due no matching role mapping rule when custom expression using groups fails.

No match on rule 'groups="XXX/PULSE" '

This issue occurs due to a behavior change between Standard AD and Legacy AD mode.  Only group names added using the group membership option will be cached and used for custom expression.  This change was done to avoid caching all groups returned for every authentication and only caching the groups configured on the group membership option.

This issue is only applicable to Standard (AD) Active Directory mode and does not apply to Legacy AD mode.

To resolve this issue, group name used for role mapping should be added as an available group using the group membership. 

1. Login to admin console
2. Navigate to Users > User Realms > [REALM NAME] > Role Mapping
3. Click New Rule
4. From Rule Based On drop-down, select Group Membership
5. Click Update
6. Click Groups...
7. From the server catalog menu, click Search
8. From the results, select all group names used for all custom expressions rules
9. Click Add Selected
10. Click OK

Once the group name are added under Available Groups, please have the end user attempt to authenticate again.