So I use both pac4j saml and pac4j oidc. I noticed that the saml implementation does not maintain the session on-callback; a new one is created so I lose the state stored in the session store for that session.
Is this a known bug? I am using pac4j-saml version 5.7.7
To prevent some kind of session hijacking, the session is renewed on callback, but this can be disabled via the renewSession setting.