We ran into this issue while testing SAML users belonging to multiple user groups. We are not sure what delimiter we must use while specifying multiple user groups in the userGroups attribute in the SAML assertion. We tried comma and space but PAM considers that as one group and fails to login as the user.

This applies to any PAM release as of October 2019.

The groups should be specified with separate "saml2:AttributeValue" entries.

Here is sample data for the userGroup part of the SAML IdP response for a user with two group memberships (pam02samlg2 and pam02samlgroup):

<saml2:Attribute FriendlyName="userGroup" Name="userGroup" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

     <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">pam02samlg2</saml2:AttributeValue>

     <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">pam02samlgroup</saml2:AttributeValue>

</saml2:Attribute>