Error message : Error 400 seen when trying to login on Global Protect agent

• Issue observed after windows update. It affected multiple windows machines.
• When the machine bootup the user's first attempt to login to global protect will fail with the error message "error 400".
• If the user exit the GP agent and re-lunch it again, the GP agent will authenticate and connect automatically without the user entering the credentials. 

(P4748-T3648)Debug(1379): 04/17/21 20:48:11:449 User cancel current action, turn to disconnected.
(P4748-T3648)Debug( 410): 04/17/21 20:48:11:450 Portal is not connected and hide the gateway list.
(P4748-T3648)Debug(3372): 04/17/21 20:48:11:450 Change dialog status to not connected.
(P4748-T3648)Debug(1254): 04/17/21 20:48:11:476 Found more than one connections, return empty.
(P4748-T3648)Debug(2310): 04/17/21 20:48:11:502 receive resize message from 1, and new height is 243.
(P4748-T3648)Debug(2310): 04/17/21 20:48:11:509 receive resize message from 1, and new height is 291.
(P4748-T3648)Debug( 906): 04/17/21 20:48:12:567 Receive inactive message.
(P4748-T3648)Debug(1132): 04/17/21 20:48:12:695 Display the main panel when user click the tray icon.
(P4748-T3648)Debug(3268): 04/17/21 20:48:12:704 Show the main panel.
(P4748-T3648)Debug( 906): 04/17/21 20:48:13:027 Receive inactive message.
(P4748-T3648)Debug( 506): 04/17/21 20:48:13:030 CPanSAMLDlg::HideViewImpl - view is visible now. the page:
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta name="robots" content="none" />

    <title>Parsons - Bad Request</title>

    <link rel="stylesheet" type="text/css" href="/assets/css/sections/errors-v2.css">
</head>
<body>
    <div class="login-bg-image" style="background-image: url('https://ok11static.oktacdn.com/fs/bco/7/fs0n3c2tqlgHSJHmN4x6')"></div>
    <div class="widget">
        <div class="container">
            <div class="header">
                <img alt="Parsons" src="https://ok11static.oktacdn.com/fs/bco/1/fs0mfwb44U5Qy3p2T4x6" class="org-logo">
            </div>
            <div class="illustration">
                <!-- Show HTTP error code if exists -->
                <div class="error-code">400</div>
                <!-- Show generic error image if not  -->
            </div>
            <div class="content">
                <h2 class="o-form-title">Bad Request</h2>
                <p class="o-form-explain">Your request resulted in an error. Bad SAML request</p>
                <a href="/" class="button">Go to Homepage</a>

            </div>
        </div>
    </div>
</body>
</html>

• Palo Alto firewall.
• Global Protect (GP) portal/gateway configured.
• Authentication using LDAP, OKTA and CAC (Common Access Card).
• Palo Alto Agent version : Any

• The  Idp (Identity Provider) was configured to include all AD group members in the SAML assertion.
• When all members are included, it  causes the string to be too large, thereby causing error 400 to be displayed.

1. Reconfigure the Idp and  filter the number of AD groups sent in SAML  assertion
2. Ensure to Include the required VPN Group members instead of all members of all AD groups.