Check your metadata you got from the iDP. Because in the metadata should be the URL where to redirect to. So if your current setup does not redirect there must be something wrong with the metadata on the other side.
Regards,
Ronald
Thank you, Ronald. The challenge we have is the IDP is provided by the client and they state that the federation metadata works for other service providers. We have traced the SAML and the IDP responds with a POST response to the POST request from the service provider when the (unauthenticated) user tries to access the SSO. In the POST is a error response "status:NoAuthnContext". From the following reference on wikipedia for the POST binding it seems as if the IDP should authenticate the user if he is unauthenticated (last sentence in bold below)?
Is this the case or should the SP do the redirect to the URL in the federation metadata. There is a URL at multiple places in the metadata, but we are not sure whether SAML is supposed to action this from the SP side.
"3. Request the SSO Service at the IdP
The user agent issues a POST request to the SSO service at the identity provider:
POST /SAML2/SSO/POST HTTP/1.1
Host: idp.example.org
Content-Type: application/x-www-form-urlencoded
Content-Length: nnn
SAMLRequest=request&RelayState=token
where the values of the SAMLRequest and RelayState parameters are taken from the XHTML form at step 2. The SSO service processes the <samlp:AuthnRequest> element (by URL-decoding, base64-decoding and inflating the request, in that order) and performs a security check.
If the user does not have a valid security context, the identity provider identifies the user (details omitted)"