On the off chance it helps, what I probably did was create the IdP settings via a metadata URL. If you're manually entering the information, you might try using metadata and loading that. Perhaps the buggy rule is inconsistently applied. -- Scott