In SAML2AuthenticationHandler$IDPAuthenticationHandler.getResponse, at line 263, the ASSERTION_ID is gotten from the session and assigned to a local variable, on which further on in the program flow a renew or issue assertion is based. However, the ASSERTION_ID attribute seems to be never set in the session, which leads to a issue assertion in every single case, instead of renewing assertions when appropriate.

While going through the whole login flow in debug mode, I was never able to get into the renewToken logic.