Hello,
In fact it has nothing to do with the old accounts nor the upgrade as I am able to reproduce the issue on brand new 10.8 environment.
I was misguided because group membership is correctly computed at account initialization but not afterward so the test was different.
Following your recommandation, I enabled logging to debug mode and created to 2 groups 'TEST-SAML' and 'TEST-SAML2' configured as member of the organization group 'gis-esriportal' and tried to log in with an account not initialized on ArcGIS Enterprise and member of the group 'gis-esriportal':
As you can see the user 'foobar' is correctly added to the groups 'TEST-SAML' and 'TEST-SAML2' as it is a member of 'gis-esriportal'.
Then, I created a third group 'TEST-SAML3' configured membership to the very same enterprise group 'gis-esriportal'.
If I try to log in once again with the test account (after signing out, clearing cookie and incognito mode), the following is logged:
So it seems like it does test for membership but according to ArcGIS Enterprise, it is not member of 'gis-esriportal' group.
Then I delete the account on 'ArcGIS Enterprise' and tried to log in again:
User is added to 'TEST-SAML3' group this time.
Any idea what could be the issue ?
Thanks