Keycloak Adaptor +ADFS idp, and Tomcat== web.xml roles seem to be ignored !?

a) I was able to install the keycloak adaptor with ADFS Idp and with tomcat.
b) I can authenticate successfully using saml to my application.
c) I can see the list of ADFS idp groups for my user within the returned authenticated saml assertion (in browser using saml plugin)
d) PROBLEM: If I specify a group (for which I can see I am a member of) THEN I get a unauthorized. But if I do NOT specify a role/group in web.xml, it WILL authenticate and pass me to the application.

QUESTION: When using Keycloak adaptor with ADFS Idp and tomcat, is there something else I need to do in order to allow access based on the role specified int he web.xml?