IDP initiated requests are not supported yet. You are right: the SAML authentication filter looks for a RelayState request parameter, and if it doesn't find one, it will throw a runtime exception.

Maybe you could circumvent this problem by adding "?RelayState=1000" to the Assertion Consumer Service URL of your Seam SP (configured in your IDP). The next thing to ensure is that restoring relay state 1000 results in a redirect to the entry page of your Seam application. You could do that by creating an own version of the component "org.jboss.identity.seam.federation.relayStates". Create a copy of the JBoss Identity supplied component, and change the restoreState method so that index 1000 (corresponding to relay state 1000) is always redirected to the entry page of your application. Probably you need to add an @Install(precedence = Install.APPLICATION) to your copy of the component, in order to tell seam that it should instantiate your version.

Please pick the latest PicketLink 1.0.0 release for your further work.

Unsolicited IDP response to your Seam app should be a valid use case. In that case, I think a pre-established trust pattern between the client and the Service (based on the IDP assertion) should kick in IMO.