From what I can tell, you are setting your search filter to a string, not a comparison. So it has no way to filter. SearchFilter = ().
https://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx
For example, if you were searching for a user, you would use a specific attribute to compare (sAMAccountName=%{session.custom.samaccountname}). As long as you enable memberOf in the query, it will retrieve the group memberships and auto populate the session.ad.last.attr.memberOf session variable for you.
If you are trying to make sure that the authenticated user is a member of a specific group, you would want to set a query filter to (memberOf=CN=Test....). You could also just use AD Group Resource assign.
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/3.html