Hi all, Our SP application connects to an identity federation via Satosa. We have two authentication flows, one which starts the authentication process using SAML and one which starts the authentication flow using OIDC. The entire process works well when using OIDC only, however, a requirement is that we can start the same process via SAML. After authentication (via SAML) is completed, the SP application tries to - Request a code - Request an OIDC access token using the code - Check the access token using the userinfo endpoint The issue that we are facing in the flow which starts the authentication by SAML, is that the user is presented with the WAYF page twice. The first time during the SAML flow, and the second time when requesting an OIDC code. I assumed that because the user had just authenticated themselves, Satosa would be able to return a code without asking the user to authenticate again. My questions are: - Have I made a mistake in assuming this is a logical process to use for authentication and authorisation? Is using SAML and OIDC in a mixed way a bad idea? - Is it possible to receive a OIDC code or access token as a result of a SAML authentication flow? - If not, is it possible to receive a code or access token without asking the user to authenticate once again? I would imagine setting Satosa to 'remember IdP' would forgo the second round of authentication when using SAML. Are there other options of achieving this? Thank you in advance. Kind regards, Jonathan Blok -- Kind regards, *Jonathan Blok* Technical Project Officer / Software Developer *T* +31 35 - 677 16 79 | *M* +31 6 - 4 669 14 58 *Availability:* Mon, Tue, Wed, Fri <http://www.beeldengeluid.nl/> *Netherlands Institute for Sound and Vision | Nederlands Instituut voor Beeld en Geluid* *Media Parkboulevard 1, 1217 WE Hilversum | Postbus 1060, 1200 BB Hilversum | * *beeldengeluid.nl* <http://www.beeldengeluid.nl/> <http://files.beeldengeluid.nl/handtekening/index.html>