Gentle reader,

The documentation for SAML authentication is correct and complete. There is also a video in the playlist dedicated to the new features introduced in R81.10.15. The steps are identical to those in the maintrain configuration.

To make it easier to follow the procedure (especially in Microsoft Entra ID portal) I illustrated each step with screenshots in the attached doc.

Notes:

1. Microsoft Entra ID groups could not be used in access policy (neither group authorization based on identity tags available in maintrain Mobile Access and not [yet] in IPSec Remote Access, nor Entra ID as used in IDA on maintrain).

There is a nice new feature in R81.10.15 that simplifies access control of remote vpn clients traffic, with a video

2. To force interactive authentication on every VPN connection attempt, regardless of whether a valid token and/or cookies are present, the optional forceAuthn SAML parameter has to be configured (big deal when the feature was introduced in maintrain, now documented by sk180948, How to force SAML authentication for users for each Remote Access VPN connection). On Spark (R81.10.15), I configured the parameter in both 

/pfrm2.0/opt/fw1/portals/CPSamlPortal/phpincs/simplesamlphp/config/authsources.php

and

/pfrm2.0/opt/fw1/portals/CPSamlPortal/phpincs/simplesamlphp/config-templates/authsources.php

3. SAML-based authentication is not available on locally managed Spark for SSL VPN (including SNX) and I'm not sure that it was supposed to be aligned with MT even with centrally managed Sparks. 

Hope these help.

P. S. There is a new, simplified procedure available in R81.10.15 to onboard a device to cloud services, that offers the log sorting and querying capabilities of Spark management right in the Enhanced monitoring Spark WebUI and could be very useful especially for starting troubleshooting these new RA VPN features.