All supported DX NetOps Performance Management releases
The "Name ID Format" setting in the IDP needs to be set to "username".
Enabling debug for SAML2 issues.
Go to http://<PC_Hostname>:8381/sso/webservices/admin/debug
Log in using the default admin user and it's password.
Click on Logs
Click on Runtime Configuration
In the "Add/Update a logging category" fields:
In Category Name add "common.saml2". Description can be left blank. Set Level to DEBUG. Hit the Add button.
In Category Name add "common.sso.saml2". Description can be left blank. Set Level to DEBUG. Hit the Add button.
Reproduce the attempted SAML login that fails.
Logging will be written to the SSO Service SSOService.log and wrapper-<date>.log files in the (default path) /opt/CA/PerformanceCenter/sso/logs. Review those logs or share them with support for analysis.