When a redirect happens and the URL contains a hash (#) everything after, and including, the hash is stripped from the URL

This is an expected behavior as per RFC 3986.
The hash symbol represents a URI fragment and this stripping is done by the client browser when redirect happens and there is no work around for this.

This is a very common deficiency in single sign on protocols, saml based or otherwise.