Release : 14.4, 14.4.1

Virtual Appliance

The "Forbidden" is caused because you are logged in as portaladmin in the management console. That user does not exist within IDM so when the SSO token kicks in it tries to log in as portaladmin automatically.  This causes the "forbidden" message.  Y

You will need to login to Management and user console one at a time.  Being sure to logout of one before accessing the other from Management to user console. 

For information on configuring a user to have access to both User and Admin pages of the portal, add that user to the PortalAdmins profile as described in the documentation here:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-portal/14-5/administrating/identity-portal-administration/users-administering-identity-portal.html