SAML role/ access-groups not working (AzureAD)

I’m having trouble getting the App Roles mapping to work. I can login successfully using SAML & AzureAD. The role claim is also picked up in the debug logs for ShinyProxy. However when enabling the access-groups for the demo applications they aren’t visible for the user.

Relevant config:

The logs indicate that the admin group is picked up:

2022-05-23 13:08:30.352 INFO 1 --- [ XNIO-1 task-1] uration$$EnhancerBySpringCGLIB$$9624b72e : [SAML] User: "bbHxxxCk2H-XWOMig-U3GsOq1MWgK69w" => attribute => name=""("null") => value "admin" - "admin"

However the user can’t see the applications protected by the access-groups. Any ideas?