Hi Jan, I spent 3 days and many tens of hours on the phone with tier 3 and the team that writes custom enterprise integrations. They were unable to solve the problem, but I was able to glean enough information from watching them try and write the custom SAML connector that I was able to figure it out on my own. I have submitted my solution to them so they can update their documentation which is both missing information and contains incorrect information (same for the kbase article from Azure AD). I am in transit at the moment but I will post my solution as soon as I get to my office. Hope it will help you!