For what its worth, support confirmed that there is no group support with SAML authentication. They referenced a prisma document: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-integration/authentica... which does state:
"You can’t use group information that’s retrieved from the SAML assertion in either security policies or the agent client configuration in the portal and gateways. If you have a requirement to configure user group-based policies and configuration selections, you must Enable Group Mapping and retrieve the user group information from the LDAP server using Group Mapping Settings."
However I did find an unsupported workaround at least in 8.1. If you can do LDAP group mapping but want to use SAML authentication (which is what we want to support multifactor), then if you send over the SAML username in the form <domain>\<username> , it will match up to the AD/LDAP user and use the group mappings from LDAP, this may be what Ozamir references above.
This is no help for people who want to use Google exclusively.
It is definitely an incomplete implementation since the SAML configuration supports both an "Access Domain Attribute" and a "User Group Attribute" but it does not use either one for global protect. (These are only used for Mgmt SAML authentication).
Hope this information helps someone else.