Which endpoint redirects and for which hosting model? Is it /plugins/servlet/oauth/request-token? And is it Cloud or Server (different SAML-support implementations)? From my experience, SAML is different enough from provider to provider, that it’s not worth doing. If the request-token endpoint is protected, then I’d consider it a bug.
They are not able to request “/rest/api/2/issue/createmeta” endpoint. When SAML login redirect is disabled they can request the create meta with no issues.
Another thing that is worth mentioning, users connected through SAML do not appear as logged in users and their logins are not counted to the user access count.
Any hints on how to debug this would be appreciated. Thanks in advance.