After updating a working SAML configuration with a new SPID value, users began receiving a 403 error when trying to reach the application.  The error seems to be happening immediately upon making the request; user is never redirected for authentication. 

All Supported Environments

Upon checking the FWSTrace.log, an error message indicated the SPID could not be found.  The SPID value, which was in URL format, appeared URL-encoded in the log.  The SPID value was not URL-encoded in the config.  This was causing the mismatch.

Submit the IDP-initiated request without URL-encoding the SPID value.  The SPID value must always be an exact match for what is specified in the config.