Did you set the request handlers? This part of the documentation:

• /SSO/login/[IdP Alias]  /SSO/login?_idp_id=[IdP_Alias]For logging using a specific IdP you have to open either of these two urls, and pass the IdP alias as a parameter in the url.
• /SSO/login/SSO/If you have only 1 active IdP, opening these urls will automatically try to log you in using the active IdP. In case of multiple active IdPs and discovery enable, the user will be redirected to the discovery page.  If discovery is not allowed the user will receive an error message.

Regards,

Ronald

We have a related issue, if the user is already authenticated in the IDP  (a single instance of AD) then the SSO works as expected and the user gets to the app's home page.  However, if the user is not authenticated yet, we get a message "Unable to validate SAML message", whereas the desired behaviour is then to redirect to the AD page where the user could enter his/her credentials to continue the SSO process.  Any ideas where we could look for the solution to this?