In SPACSUtils we have the following logic:
However at that point session is very likely to be null, hence the ignoreProfile mode is determined incorrectly (will be false for null sessions).
To reproduce this:
- enable Ignore profile at the SP
- configure the SP to do auto-federation
- initiate SAML authentication using a non-persistent, non-transient NameID-Format
The usage of auto-federation is key in reproducing this issue, because local authentication based account linking will mean that the session is non-null when accessing the SAML endpoint.