[rb12345]

That's true for SAML2, but not SAML1 - not that anything should be using SAML1 these days.

[honzaik]

Well that depends on the binding right? In case you use the "artifact binding" then theres also direct communication between SP and IdP. I havent seen it in the wild and I am also no professional, but I saw it in the 2.0 standard, e.g., see https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-...

[jf]

It’s hard enough to debug SAML as it is, I can’t imagine debugging artifact binding without having full control of both the SP and IdP.