PAM SAML SP logs are showing error:

The error appears to be May 28 14:05:00 SAML_RP ERROR [655703773e] SimpleSAML_Error_NoState: NOSTATE  .. which would be ACS configuration error or load balancer is not set with persistence

PAM 4.0 or higher release.

The message NOSTATE is a generic error that can occur when using SAML authentication which relates to  "State Information Lost". It can have several possible causes, including: The domain name or landing page host name changed during the authentication process due to incorrect session settings or a lack of loadbalancer persistence where the return page connection to the wrong node….

SAML Assertion Consumer Service (ACS) is a web service endpoint that is part of the Security Assertion Markup Language (SAML) authentication and authorization protocol. The ACS is a service provided by the service provider (SP) that receives and processes SAML assertions from the identity provider (IdP). 

In this particular case this was caused by a misconfiguration with ACS default configuration or Index 0 which was defined to a VIP IP address and not to the VIP FQDN (hostname). The SAML response to be rejected by the PAM appliance because the session was directed to the IP address even though the browser was directed to the correct server. In order for the SAML assertion to be valid the hostname or FQDN must be included, you cannot use IP addresses to validate in a supported manner for CA PAM.

The ACS default configuration (index 0) was updated in Azure to use the VIP FQDN in order to connect to the proper destination.