The problem is that the session is cleared and does not preserve the information it should, such as sso_method, organization and location context. The cause is that we call session.merge! which does not work as expected. We need to use update instead which is called on the delegated session hash. We have a test for this method but unfortunately it passes since rails tests are using different implementation for sessions ActionController::TestSession while in runtime, ActionDispatch::Request::Session is used. I'm not sure how to test that properly.