Upon further investigation I have discovered that the root of this issue is caused by IDPFilter calling "response.reset()" prior to building SAML assertion POST response body. When reset() is called, this clears all Set-Cookie (and other) headers that might have previously been added to the response object.

Is it strictly needed to do this in all cases? I have created my own instance of IDPFilter with response.reset() commented out, and have found no negative side effects from doing this so far (in my limited testing). It does resolve the problem I had with my cookies being destroyed.

on a related note, due to the way the filters are processed, you need to ensure that any cookies you add to the response are added prior to the IDPFilter being invoked. Doing them in the post-processing phase of the filter chain, or in a finally

block will not work.