> Is it possible to somehow force RemoteUserInternal even if user already has > session on IdP by signin to "A" using Password flow ? Custom AuthnContextClassRef principals and proper control over requiring them for different SPs is the way to generically influence SSO and flow selection behavior. -- Scott