This message was deleted.

In terms of the stuff you need for troubleshooting, both will be POSTs. 1. The initial post from the client browser to the IdP submitting to the IdP, that the user is requesting authentication to a service. "Hey I want to use an app that says I authenticate through you, here's the unique stuff that it gave me to prove that it's who it says it is, and not an impersonator" 2. Subsequent post is to the service, which includes assertion "IdP said to give you this stuff, stamped and sealed with approval from the IdP, proving that the attributes reflect I am who I say I am"

This is great, thanks

Think of the client being very short sighted, they only know what is in front of them and what directions they're given at that time. User goes to Citrix cloud (SP), kicks off a SP initiated flow that says go to DUO (IdP), posts to DUO that Citrix cloud said I need to auth (POST with SP identity ID and ACS url of Citrix Cloud and more), DUO then drops a cookie on client browser and kicks off another SP flow, to Azure, client then goes to Azure and says "DUO wants to authenticate me here at Azure is that ok?", Azure drops a cookie and sends you back to DUO who sends you back to Citrix cloud with both cookies. I'm not familiar with the UI in Duo, but if I were to find and replace DUO with Okta, in Okta, I would have to configure Azure as an accepted IdP in that config.

great explanation