GlobalProtect users fail to connect to the gateway with error "User is not in allow list" on the gateway with Prisma Access multi-portal setup

• Prisma Access is configured with Multiple portals. 
• The existing users who can connect to Primary portal can also connect via secondary portal. 
• But new users who are meant to connect only via secondary portal fails to connect to the gateway with the error  "User is not in allow list"
• The authentication profiles are configured with allowlist based on User groups.

• Prisma Access for Users
• Prisma Access Multi-portal setup

• The multi-portal requires the authentication profiles in both portals to have same allow list on both portals.
• Even though the secondary portal is expected to authenticate the user with a different auth profile and then the GP can connect to gateway with authentication cookie, The gateway will still validate the user against the configured authentication profile (of Primary portal)'s allowed user's list.
• For example, The primary portal has authentication profile called Auth1 and secondary portal has authentication profile called Auth2.
• The Portal will have both the Auth1 & Auth2 profile so the users can authenticate via either one and their individual allowed user list will apply.
• For the gateway, it will have only the primary portal's authentication profile Auth1 and the allowed user's list configured in this profile will apply.
• Even for the cookie authentication on the gateway, the user should be member of the allowed user's list from authentication profile Auth1.

**REMEDIATION_PLAN**
1. Ensure both the primary and secondary authentication profiles have the same user group configuration for the allowed user's list. 
2. Verify the user group settings are correct and aligned across all authentication sequences used by the gateway and portal.

Run authd in debug mode to identify the failure and find which auth profile the user's auth attempt is matching.