We are integrating with different Identity Providers, and while we set every SAML Connection with the exact same configuration, we are noticing that a Google Workspaces connection IdP Initiated SSO is not behaving as when we integrate with other providers (Okta, OneLogin, etc)
Tokens are being created without the additional scopes defined on the “Query String” parameter, so even as the user is successfully authenticated, we get blank responses on GET /userinfo and can’t identify who they are. These are the settings we are using:
There isn’t anything Google specific on the setup (outside of the ACS URL), but this is only happening with this provider. SP initiated flows works as expected (we set the scopes correctly when redirecting users to the /authorize endpoint)
What could be happening differently here that is breaking the IdP initiated flow?