I updated the script slightly with some more lines and a hopefully helpful output in case of errors. I tested the script on a firewall running PAN-OS 9.1.9 with a global protect deployment that has SAML as authentication configured. With another check regarding other authentication methods where the domain attribute may be is there it should still work in such deployments. So if anyone is going to use the script, feel free to get back to me in case of problems or other feedback.
(I updated the script in the first post of this topic)