SAML SP Initiated Connections
I'm in the process of rolling out APM as a SAML IDP. Currently, we have 6 applications that are all going to be using SP initiated SAML coming from a external provider which we do not manage. I have it working with one provider. My question is, how does APM know which SAML resource to assign a user to if they are all sharing the same IDP? In my configuration, I have one vip, one access profile, and one IDP, with 6 SP connectors. I understand from an IDP initiated point of view, a user could simply just click on the SAML resource they want to access. However, when the SP redirects the user back to my IDP, the access policy has 6 SAML resources under the resource assign. I don't want the user to have to click anything. I want them to sign in once and the external page is visible.
I could create a separate vip per SAML application with a separate profile and IDP. But is there an easier way to do this? I guess my bigger question is... how does APM know that a user went to say sharepoint.test.com, and when sharepoint redirects back to the local IDP, not to assign say the office 365 resouce.