SAML IDP Login When not already authenticated

We have integrated the SAML module with our application, using a single IDP (single instance AD).   If the user is already authenticated in the IDP then the SSO works as expected and the user gets to the app's home page.  However, if the user is not yet authenticated yet, we get a message "Unable to validate SAML message", whereas the desired behaviour is then to redirect to the AD page where the user could enter his/her credentials to authenticate before continuing the SSO process.  Any ideas where we could look for the solution to this please?
2 answers

Check your metadata you got from the iDP. Because in the metadata should be the URL where to redirect to. So if your current setup does not redirect there must be something wrong with the metadata on the other side.





Thank you, Ronald.  The challenge we have is the IDP is provided by the client and they state that the federation metadata works for other service providers.   We have traced the SAML and the IDP responds with a POST response to the POST request from the service provider when the (unauthenticated) user tries to access the SSO.  In the POST is a error response "status:NoAuthnContext".  From the following reference on wikipedia for the POST binding  it seems as if the IDP should authenticate the user if  he is unauthenticated (last sentence in bold below)? 

Is this the case or should the SP do the redirect to the URL in the federation metadata.  There is a URL at multiple places in the metadata, but we are not sure whether SAML is supposed to action this from the SP side.

"3. Request the SSO Service at the IdP

The user agent issues a POST request to the SSO service at the identity provider:



Content-Type: application/x-www-form-urlencoded

Content-Length: nnn


where the values of the SAMLRequest and RelayState parameters are taken from the XHTML form at step 2. The SSO service processes the <samlp:AuthnRequest> element (by URL-decoding, base64-decoding and inflating the request, in that order) and performs a security check.

If the user does not have a valid security context, the identity provider identifies the user (details omitted)"