As far as I know once the user is authenticated with the IdP via the SAML request, in AEM you still get a token created and associated with the crx session. Every subsequent request is authenticated via the CRX Token Authentication Handler first before going to the SSO Handler unless you changed the...