Existing SAML users in PAM with a Global Administrator role, in our case inherited from the user group they are member of, cannot logon to PAM, getting error "PAM-CMN-0900: Bad User ID or Password.". But we know that the user ID and password is right, and on the IdP side we see a successful SAML authentication. A new user in the group initially is able to logon to PAM and get the user entry configured by JIT (Just-In-Time) provisioning, but subsequent logon attempts fail as well.
PAM automatically adds Global Administrators to internal group "TAP Administrators" when the PAM license includes the Thread Analytics option. On the IdP side there is no such user group, and the list of user groups sent from the IdP to PAM does not include this group. Because of a bug in PAM code, a user group membership mismatch was detected and the login denied.
Release : 3.4
Component : PRIVILEGED ACCESS MANAGEMENT
The problem was first observed internally by PAM QA and was fixed in the 3.4.4 release. It is fixed in the 4.0 release as well. Because it was an internal defect, the solution is not listed under resolved issues in our online documentation. Upgrade to 3.4.4+ or 4.0+ will resolve this problem. If an upgrade is not possible at this time, but you need to have the problem fixed, you would need to engage PAM Support.