Ok, got it and unfortunately you are right about this limitation. The only thing I can think of is that you install another SAML IdP in the role of some sort of "router". So the users enter their email/upn on that IdP and are then forwarded based on the domainsuffix to their actual SAML IdP. This way you could use one portal and based on the user that logs in the portal is able to assign the right config. But unfortunately it could be possible that you then hit another limitation but I am not sure about that - maybe the limitation of 32 also applies to globalprotect gateways.
Anyway this probably you can also solve with different VRs/policy based forwarding rules.
... View more