We can go to “Security/API/Authorization Servers/default/Claims/ID” and “Add Claim” groups to get Groups claims included with the ID token. And can adjust the Filter to something like “Starts with” “SCC-” which effectively limits the number of Groups claims that are included in the ID token to only those starting with “SCC-”. However, when we change this setting back to “Matches RegEx” “.*” (so that all groups would be included) and then go to Applications//Sign On/OpenID Connect ID Token/Groups claim filter and set to something like “Starts with” “SCC-”, ALL groups are included in the ID token instead of just those starting with “SCC-”. Why is group filtering not working at the Application level as it does at the Authorization Server level?
Hi @john.buuck, with the Applications//Sign On/OpenID Connect ID Token/Groups claim filter, can you tell me the authorization server you are setting/testing this on? Screenshots would be helpful.
Okta has multiple types of servers - Authorization servers | Okta Developer.
The one you are modifying under Applications//Sign On/OpenID Connect ID Token/Groups claim filter is tied to the Org Authz Server 
which is different than the one you are modifying under Security/API/Authorization Servers/default/Claims/ID which is tied to the default custom authz server 
. Both will mint two different tokens depending on your filter.