Little more information...
When I submit my auth request and get a response back from the IDP, it does not contain the attribute I am sending (employee number, mail) but does contain my list of roles. If I refresh my browser , thus resending the request before the Assertion expires (in less than 60 seconds), the attributes are still not sent. However, if I refresh my browser (resending the request) after the Assertion expires (after 60 seconds), I get an error from the SPPostFormAuthenticator that says, "Assertion has expired. Asking IDP for reissue", and the response from the IDP contains my attributes and my roles.
Any ideas on this??
One thing I have noticed...
In my logs, I see that the IDPAuthentication handler always send the RESPONSE before the attribute manager has been invoked. That is why the attributes do not get sent with the first response. If I hit REFRESH on the browser, the browser just resends the same SAML REQUEST, and the IDP does not rebuild the RESPONSE as the original Asserion is still valid (Probably because my SKEW time is 60 Seconds).
Anyway, once the Asserion expires, the second request will cause the RESPONSE to be reissued, and since the Attribute Manager put the values in the session AFTER the original reuest, it finds them, and sends them.
I have tried to adjust the order of my handlers to no success.
Is there a way to ensure the Attribute Manager gets invoked BEFORE the response is sent from the IDP backto the SP?