Can someone clarify how this cookie is used?
If an SP is supposed to use the last-appended IdP doesn't this mean a principle is effectively authenticated to only one IdP at a time?
1. user logs into IdP #1
2. user can access SPs honoring authentication via IdP #1
3. user logs into IdP #2
4. user can access SPs honoring authentication via IdP #2
5. user requests an SP honoring authentication via IdP #1
6. said SP retrieves the common domain cookie, extracts last entry (IdP #2) and redirects browser to IdP #2
7. IdP #2 cannot authenticate the user for an SP requiring authentication via IdP #1
8. what happens?
Is this correct?