A user must have a session at the IdP Policy Server for the Policy Server to generate an assertion. To establish the session, the single sign-on service at the IdP redirects the user to an application using an authentication URL.
I have the following use case:
Federation A with authentication URL A (auth url A belong to a domain joined to USERSTOREA), all users in USERSTOREA are autorized for FederationA
Federation B with authentication URL B (auth url B belong to another domain joined to USERSTOREB), all users in USERSTOREB are autorized for Federation B
If the user trigger the federation A without a session, he is redirected to authentication URL A and after providing the USERSTOREA credentials, the SAML assertion is generated.
At this point if the user trigger the Federation B, since he has already a session at the IdP , the authentication URL B is not invoked, and so the user got and AZ reject since USERSTOREA users are not allowed to the Federation B.
Is there a way to challenge the user for credentials when triggering the Federation B even if it has already gained a session when calling Federation A?