If you access with a user with a REST Call and API token all the Authorizations grups that are obtained from SAML does not apply.
You have a user JohnDoe, this user have administrator group assigned in SAML, when you have to access with a REST call and the API token of this user to restart the instance, Jenkins return you and a 403 error unauthorize because you do not have overall/administer, that is incorrect you are in administrator group and role and have overall/administer permission.

curl -X POST -u USER:APITOKEN http://server.example.com/safeRestart