ZTNA rollout in play with 100s of users being added every week.

One such user reported not being able to access an assigned Web application. 

Forensic logs recognises the valid user but blocks the request with the reason of "No matching policy was found".

This user is a member of the group referenced in the policy entity section.

Identity provider used is a 'generic SAML' identity provider with custom attributes sent over.

Browsing the available groups under 'Users and groups' for the selected Identity provider, only a subset of all available groups appear (there should be 1000s but only 100 seen) - searching for the group under this identity provider does not show up the expected group.

ZTNA.

Generic SAML Identity provider.

The ZTNA service restricts the maximum number of groups by default per Identity Provider to 500.

Contact Broadcom support to increase the maximum number of groups allowed per tenant.