1) Set up AM and IG for CDSSO as per the Gateway Guide chapter 5.3. AM service configuration should look something like this:
2) Create a route that includes the CDSSO filter, like this:
and an arbitrary protected resource (in my case a static response handler).
3) Test the flow with e.g. user demo - works.
4) Now on AM, change the realm's organization's authentication configuration from the default ldapService to a tree, for instance the 'Example' one.
5) Clear cookies and re-test the flow. You'll see a loop of POSTs to the cdssoredirect endpoint on IG, followed by a 302 to AM's oauth2/authorize endpoint, until the loops eventually stops with a 200 and the error message
On comparing the session tokens produced by the chain vs. the tree, I noticed the following differences:
successURL : points to "/am/console" (chain), but to ".../oauth2/authorize/..." (tree)
AuthType : "DataStore" (chain) , not present (tree).