Comment 2 for bug 1571878

We need to investigate what happens if we try to authenticate using an IdP with an invalid mapping in the protocol. This looks like a regular "unauthorized" error (or equivalent when the mapping fails), so we may start by changing the error return status to something more helpful.

After that, I suggest we deprecate the behavior and enforce the steps as described above.