After hitting Netscaler for login, you are redirected to SAML and successfully login.  Afterwards, you are redirected back to Netscaler and receive the error "You are not allowed to login.  Please contact your administrator".
 

On the LDAP server config, make sure to uncheck the Authentication box.  This box is used to tell Netscaler that LDAP must do a simple bind to the user account using the password provided.  Since SAML doesn't provide a password here, and there is no other Schema/settings to define one, this box should be unchecked.

---

Problem Cause

Policy label was configured with lschema_int (no scehma). LDAP is configured with Authentication checked, but there is no password since the first factor is SAML.