To reproduce: Create 3 entities in the same realm: Hosted IDP, Remote SP1 and Remote SP2
Create 2 CoTs:
CoT1: IDP, SP1
CoT2: IDP, SP2
Test each CoT separately to check it works (clear browser in between).
Test SSO between SP1 and SP2:
Federate to SP2
Federate to SP1
In the Federation log you will see "Issuer in Request is not valid" warning.
Workaround at this point is either:
- put all the entities in the same CoT
- duplicate the IDP profile, create 2 separate entities IDP1 and IDP2 and two separate CoTs: CoT1: IDP1, SP1 and CoT2: IDP2, SP2