I was doing some SAML auth testing and noticed something interesting. If I have an active session in the IdP with an account, then attempt to log into the SP with a different account (widget using IdP discovery), I will get logged in as the user with a session on the IdP and not the user that initiated SAML auth. Not many of our customers will have multiple accounts but just curious, is this expected behavior?
Yes this is normal session token behaviour: https://developer.okta.com/docs/guides/session-cookie/overview/#initiate-a-saml-sso-with-the-session-token
Ah, I missed that piece of documentation. Thanks for confirming!