When the web traffic is sent through the tunnel, it only gets redirected to SAML IdP if the tunnel is selected as the identity. If only the SAML group or user is selected as the identity, it doesn’t redirect to IdP and, therefore, gets access not allowed as it is not authenticated.
For SAML authentication to be initiated, a policy must exist for the tunnel identity (or the network identity). And above this policy, a policy can be created based on SAML user/group identity. SAML association is currently based on Tunnel and Network.