Did you map the group claim token in the SAML configuration?
Your issue is related to the fact you do not have a SAML attribute mapping for "User Groups". IICS is not getting the list of groups.
I have http://schema.microsoft.com/ws/2008/06/identity/claims as my value in the "User Groups"
Let me know if you are still facing issues am happy to jump on a call and show you how I have it configured in our environment.
I tried to make the settings you indicated but it didn't work.
If you can, that would be great.