It sounds like you are the SP, and the transaction is IDP-initiated. You should not be protecting /affwebservices/public. Specifically, the saml2assertionconsumer service needs to be unprotected for your use case to succeed. Protecting the this URL, often referred to as the ACS URL, creates a catch 22 for any SAML users. SAML uses will not have a session until their assertion is consumed by the ACS URL, so if you protect the ACS URL, the user will not have any way to authenticate to access the page, and thus why the users cannot authenticate at the basic prompt that's currently popping.
Unprotect the ACS URL so that unauthenticated users can post their assertions to it.