After pushing groups from Okta to AD, the WS-Federation app no longer sent the groups in the claim, causing access issues downstream as users were no longer counted as being in those groups.

• Template WS-Fed 
• Active Directory Groups

When an Active Directory (AD) group becomes mastered by Okta via push groups to AD, the AD groups in Okta are hidden from our search. With the WS-Federation application configured with the Group Attribute Value set as  windowsDomainQualifiedName, the groups will no longer correctly match those in AD, and users will lose access based on the group claim. 

To address this issue, the following steps are required:

1. Ensure the Okta group names match the respective AD group name.

   • This can be done manually or via the enhanced push groups feature. Please refer to the Manage Group Push documentation.
     "Click the Action button (Group Push Settings) if required to have the ability to rename a group in the third-party app when linking."

2. Navigate to the Template WS-Federation app (Applications > Template WS-Federation App).

3. Under General (Tab), select Edit.

4. Update the Group Attribute Value to be samAccountName.

5. Select Save.

The Okta groups that are now being pushed to AD will also be correctly identified during the WS-Federation authentication.