When testing the Identity Provider discovery Policy in VIP Authentication Hub, and having the use case to allow the user to login to the local Identity Store or select an Identity provider.

It looks the configuration works when having at least 2 Identity Providers, showing the selection of the local user or being redirected to one of the Identity Providers.

When defining only one Identity Provider in the Identity Provider Discovery Policy, during the login, the browser is redirected to the Identity Provider login page without showing the login page with the possible selection, not allowing the selection of the local user.

The requirement for idpProtocol (before username is available) was to act on request-specific information in case of a single application BYOI (Bring Your Own Identity) IdP thereby causing an automatic redirect (that is this user's app instance, ip range, etc.).

Otherwise, provide a username (with possible domain) and idpAuthenticate (after username is available) will kick in.

The point here is, it's a plus for the username to be provided before as this kicks in a range of validations, and then the flow can proceed with picking an applicable IdP or "Continue as <user>" to stay with the local user.

In any case, application metadata item was added in 3.3 to control whether automatic redirection to a BYOI IdP should be skipped in case of a single IdP match, this will be sufficient going forward.

So, the solution is to upgrade VIP Authentication Hub version 3.3 when this one will be available, in the coming months.

The workaround is to keep at least 2 IdP set.