mixing SP and IDP initiated authentication flows

My application supports both SP and IDP initiated authentication, using a common AssertionConsumerService endpoint.
Both flows work fine, except in one situation.
If a user causes an SP initiated auth request to be sent to the IDP, but then while sitting on the IDP’s auth page navigates to that same IDP’s site that generates an IDP initiated request, then when my assertion consumer method does the ReceiveSSO call, it gets an error saying that an unexpected IDP initiated response was received.
If i clear all the cookies (from my provider site) and go to the IDP site and do IDP initiated again, it will work.
I hope that made sense.

It’s probably a little edge-casey, but is that the expected behavior?


That’s the default expected behavior. The SP is expecting a SAML response in response to the SAML authn request sent as part of SP-initiated SSO. If this is interrupted with an IdP-initiated SSO, the SP doesn’t know this has happened and we report the fact the SP-initiated SSO flow didn’t complete correctly.

You can set OverridePendingAuthnRequest=“true” in the configuration. This means SP-initiated SSO can be overridden by IdP-initiated SSO and you shouldn’t get an error in this scenario.