In the external and the internal Web SSO as 3rd party Identity Provider (IdP), we are looping on the IdP launching page to the ACS.

There's no such issue in the previous version.

SiteMinder acts as the SAML IdP.

The external application has SiteMinder as SAML IdP factor.

The browser loops from saml2sso to acs, to idp, and to saml2sso again.

In a working use case, the browser goes from saml2sso to acs to signin/?x flow state.

In the failing use case, the browser goes from saml2sso to acs to signin/?isIDP=true and then, it loops.

The flow is Service Provider (SP) initiated, where the VIP Authentication Hub being the SP.

The internal SiteMinder is the third party IDP.

VIP Authentication Hub 3.4;

The application improperly configured as a ZFP application.

The symptom was being masked by the presence of IDP Discovery policy that was taking effect prior to ZFP detection.

Disable the IDP Discovery policy to fix this issue.

With the IDP Discovery policy being disabled, the flow ZFP flow was not satisfied given the application is not a true ZFP app as it does not send the ITH.