Anybody had success setting up Vault using AD FS (Version 4) as an OIDC back end, passing group membership via the token?