diff --git a/authorize/evaluator/headers_evaluator_test.go b/authorize/evaluator/headers_evaluator_test.go
index 121bd6f4d..c95efc93f 100644
--- a/authorize/evaluator/headers_evaluator_test.go
+++ b/authorize/evaluator/headers_evaluator_test.go
@@ -14,7 +14,9 @@ import (
 
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
+	"github.com/pomerium/pomerium/pkg/grpc/directory"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
+	"github.com/pomerium/pomerium/pkg/grpc/user"
 )
 
 func TestHeadersEvaluator(t *testing.T) {
@@ -40,6 +42,25 @@ func TestHeadersEvaluator(t *testing.T) {
 		return e.Evaluate(context.Background(), input)
 	}
 
+	t.Run("groups", func(t *testing.T) {
+		output, err := eval(t,
+			[]proto.Message{
+				&session.Session{Id: "s1", UserId: "u1"},
+				&user.User{Id: "u1"},
+				&directory.User{Id: "u1", GroupIds: []string{"g1", "g2", "g3"}},
+			},
+			&HeadersRequest{
+				FromAudience: "from.example.com",
+				ToAudience:   "to.example.com",
+				Session: RequestSession{
+					ID: "s1",
+				},
+			})
+		require.NoError(t, err)
+
+		assert.Equal(t, "g1,g2,g3", output.Headers.Get("X-Pomerium-Claim-Groups"))
+	})
+
 	t.Run("jwt", func(t *testing.T) {
 		output, err := eval(t,
 			[]proto.Message{
diff --git a/authorize/evaluator/opa/policy/headers.rego b/authorize/evaluator/opa/policy/headers.rego
index fa34b98d0..064993ee1 100644
--- a/authorize/evaluator/opa/policy/headers.rego
+++ b/authorize/evaluator/opa/policy/headers.rego
@@ -211,13 +211,14 @@ identity_headers := {key: values |
 	h2 := [[header_name, header_value] |
 		some header_name
 		k := data.jwt_claim_headers[header_name]
-		header_value := array.concat(
+		raw_header_value := array.concat(
 			[cv |
 				[ck, cv] := jwt_claims[_]
 				ck == k
 			],
 			[""]
 		)[0]
+		header_value := get_header_string_value(raw_header_value)
 	]
 
 	h3 := kubernetes_headers