How do the user directories affect the partnership? We've had conflicts with users being in two different directories and setting one directory as the default/only directory in a partnership with both directories in the policy for the Authentication URL causes the user to get an error if they try to authenticate through the directory in the partnership, that doesn't happen to be the first in the chain for the Authentication URL.
Is the successful federation authentication process based solely on the Authentication URL user directories and their order and assertions will only be generated for the users in the groups defined in the partnership? That's how it seems, I just want to make sure I'm not missing anything.
You would need to use the same User Directory in both authentication domain and the partnership.
As you know, we need SMSESSION to generate the saml assertion but federation will not have option to challenge the user, hence we protect authentication URL. Once the user authenticated and authorized at authentication URL, request will redirect back to federation service along with SMSESSION, at this time we need to validate the SMSESSION before going for authorization and if you dont add the same users in partnership then it is expected to get validation error and request fail to process further and redirect back to authentication URL.
Please use the same user directory in both authentication domain and the partnership.