I have an SP configured for multiple IdP's for the same customer. They have an "external tenant" for their customers and other users, and an "internal tenant" for their employees and contractors - all of this is assembled in Okta. What happens is there is one "log in button" that they click on my my SP site and by default are transported to the external tenant to log in. If they have an internal account the external tenant somehow knows this, sends their login to the internal tenant, which then sends them back to my service provider site. Usually this seems to be just fine. But sometimes people have an error:
The SAML message issuer http://www.okta.com/internal
does not match the expected issuer http://www.okta.com/external.
at ComponentSpace.SAML2.AbstractSAMLProvider.CheckPendingResponseState(String inResponseTo) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\AbstractSAMLProvider.cs:line 313
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute& attributes)
in C:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:line 790
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute& attributes, String& relayState)
in C:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:line 1081
Sometimes they can try again and just get in, but other times it seems like they just give up and browse the site anonymously. I currently do not have diagnostic logging enabled but I can send samlresponse data that has been logged for these events.