We have implemented Azure SAML authentication for global protect users. There is no group filtering on Azure site.
We tried limiting ldap groups in the:
1. SAML Auth profile on palo alto
2. Gateway > Agent > Client Settings
Inspite of the restrictions anyone outside the groups is able to connect to global protect. So does the groups setting on Azure override the group filtering on palo alto?