Symptom
ISE 3.1 SAML admin login fails with Access Denied error despite successful SAML authentication when proper group mapping is defined in iDP settings on ISE.
Conditions
ISE 3.1 SAML admin login when assertion for the use contains multiple values in the "Groups" calim
Workaround
Ensure that only the first group from the assertion is used or switch back to local/AD authentication for admin
Further Problem Description
When user assertion contains multiple groups in the "Groups" claim like demonstrated on the bekow example:
Group1
Group2
Group3
RBAC on ISE is successful only if ISE admin configured mapping for Group1 in iDP settings. In case if the mapping has been configured for any other group despite successful SAML authentication RBAC authorization will fail.
