In a working CA PAM environmnet with Authentication set to Azure as an idP, old users are able to log in just fine, but any new user trying to use the system us getting the following error:

PAM-CMN-0988: The validation of the SAML assertion of user identity <user_here> from remote IdP https://<Azure_app_id_here> succeeded but mapping the user to a SAML-enabled CA PAM account failed

Checking the assertion generated in Azure for a working and non-working user, there is no difference: both come up as validated and the attribute mapping is the same in both cases. 

CA PAM all releases

There are multiple possible causes for this, but if all configuration is correct and consistent this may be caused by PAM not being able to provision a user based on the information received from Azure, if the user has not been provisioned earlier

This is the purpose of checking the JIT checkbox in the Remote IdP configuration, as explained in the documentation

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-3/configuring-your-server/authenticate-users-logging-in-to-the-server/azure-ad-as-an-identity-provider-idp.html

If this is not chosen, PAM will try to provision the user coming from Azure, but it will not have the necessary rights and this error will be obtained

Make sure that the Allow Just in Time Provisioning is checked in the Azure as an IdP configuration for this system