Hi,
You would need to use the same User Directory in both authentication domain and the partnership.
As you know, we need SMSESSION to generate the saml assertion but federation will not have option to challenge the user, hence we protect authentication URL. Once the user authenticated and authorized at authentication URL, request will redirect back to federation service along with SMSESSION, at this time we need to validate the SMSESSION before going for authorization and if you dont add the same users in partnership then it is expected to get validation error and request fail to process further and redirect back to authentication URL.
Please use the same user directory in both authentication domain and the partnership.
Thanks,
Sharan