Existing SAML users with a Global Administrator role cannot logon to PAM, and Just-In-Time provisioning for new SAML users with this role, inherited from the group they are a member of, fails as well. Working with Support we understand that this problem occurred because our license includes Threat Analytics, but user group "TAP Administrators" does not exist. Our license was updated recently. The old license did not include the Threat Analytics option. This history seems to be the cause of the problem.
Release : 3.4
Component : PRIVILEGED ACCESS MANAGEMENT
When the Threat Analytics licensing option is enabled, PAM create a TAP Administrators user group and automatically adds all Global Administrators to the group. But when it tried to do that with a SAML user, it ran into an error because the SAML user's group membership is meant to match the group membership in the Identity Provider. PAM did not exempt the internal group from the group membership check.
As of August 2021 this problem is not fixed in any available PAM release, including 3.4.4 and 4.0. It is unlikely to be fixed in 3.4.5 and 4.0.1.
As a workaround temporarily remove the Global Administrator role from the SAML user (groups) and apply the new license again. Once you see the "TAP Administrator" user groups under Users > Manage User Groups, you can restore the Global Administrator role.
Note that if you are running a release lower than 3.4.3, you may run into the problem discussed in KB https://knowledge.broadcom.com/external/article?articleId=221437 once you get past the problem we are concerned with here.