Hi,

Domain/Groups are not supported for a SAML-enabled cluster.

There is a KB article:

OnCommand System Manager authentication is not working with Active Directory Domain Groups
https://kb.netapp.com/app/answers/answer_view/a_id/1087129

Only workaround: Use CLI to add a domain "user" to the cluster, but without "domain\" prefix. I guess you have already tested this and it works for you.

Example: To add user 'test1' for http & ontapi capability:
::*> security login create -vserver <cluster_vserver> -user-or-group-name test1 -application http -authentication-method saml
::*> security login create -vserver <cluster_vserver> -user-or-group-name test1 -application ontapi -authentication-method saml