...
- A SAML 2.0 SP uses the HTTP-POST binding to issue its request AND
- The IdP is configured to use server-side sessions OR is not using HTML Local Storage with client-side sessions.
(In turn, it's possible to get SSO back, even with server-side sessions, by enabling the idp.storage.htmlLocalStorage property, at the cost of users being forced to navigate the extra roundtrip used to load the data from the client.)
We believe this represents a relatively small minority of deployments, given that we strongly encourage use of client-side sessions and that HTML Local Storage is the advised, though not yet default, mechanism used to do so. POST requests are also relatively less common, and in some cases extremely rare, though some prominent SPs do use it (e.g. Box.com, EZProxy).
...