We would like to login using AD group membership.  We've synced our groups in Keycloak and then added a mapper to the Jenkins client in Keycloak using the "Keycloak config" here

Authorization fails unless user is added to Project Matrix permissions rather than group.  "<user>  is missing the Overall/Read permission".

This plugin gives nowhere to add a "Token Claim Name" defined in our Keycloak mapper.  Am I right that this plugin lacks ability to login by virtue of group membership?  If so this is a feature request.

http://<jenkins_url>/whoAmI/ doesn't show any group memberships, but not sure if it should.