Hello Doug,
This error indicates authentication passed, but authorization failed at the SMA.
Focus on the settings within the Users > External Authentication > SAML.
Attribute Name, Group Name, and Group Mapping.
Also, in one of the similar issues, it was found that the problem was with the difference in the “Sign Assertion”.
Basically, the IdP was configured to retrieve only the ‘mail’ and ‘uid’ attributes, and none of them were matching the Group names on the SMA configuration.
I hope the above information might be helpful.
Cheers,
Pratham