Do you have a Value is not a collection exception in your gateway logs? If so, you are probably running into the issue which was fixed by ticket number 1677 mentioned here: Nightly 8.1 Changelogs - 2021 - #51 by KathyApplebaum (which is currently available in the 8.1.5 nightly build). If you are able to upgrade, you could use the new multi-attribute-source bound expression path prefix to signal to the system that you are expecting the attribute value returned to be a multi-valued collection. Example: containsAny({multi-attribute-source:authnResponse:/saml2p:Response/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='AD_Groups']/saml2:AttributeValue/text()},"Admin")