How can I disable idp discovery in Spring Security SAML

Question

I am setting up the spring security saml framework. Now trying to integrate the sample web application (http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/#sample-app). However, I would like to skip the initial page with the choice of id providers and use a specific idp. The mechanism should go directly to the idp login page.

Here is what changes I have done to the securityContext.xml:

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
  <constructor-arg>
    <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
      <property name="includeDiscoveryExtension" value="true"/>
    </bean>
  </constructor-arg>
</bean>

....

<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
  <property name="defaultIDP" value="https://my.idp.com/simplesaml/saml2/idp/metadata.php"/>
  <constructor-arg>
    <list>
      <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
        <property name="metadataTrustCheck" value="false"/>
        <constructor-arg>
          <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
            <constructor-arg>
              <value type="java.io.File">classpath:security/idp.xml</value>
            </constructor-arg>
            <property name="parserPool" ref="parserPool"/>
          </bean>
        </constructor-arg>
        <constructor-arg>
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
            </bean>
        </constructor-arg>
      </bean>

      <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
        <property name="metadataTrustCheck" value="false"/>
        <constructor-arg>
          <bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
            <constructor-arg>
              <bean class="java.util.Timer"/>
            </constructor-arg>
            <constructor-arg>
              <bean class="org.opensaml.util.resource.ClasspathResource">
                <constructor-arg value="/metadata/sp.xml"/>
              </bean>
            </constructor-arg>
            <property name="parserPool" ref="parserPool"/>
          </bean>
        </constructor-arg>
        <constructor-arg>
          <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
            <property name="local" value="true"/>
            <property name="alias" value="test:alias"/>
            <property name="securityProfile" value="metaiop"/>
            <property name="sslSecurityProfile" value="pkix"/>
            <property name="sslHostnameVerification" value="default"/>
            <property name="signMetadata" value="false"/>
            <property name="signingKey" value="apollo"/>
            <property name="encryptionKey" value="apollo"/>
            <property name="requireArtifactResolveSigned" value="false"/>
            <property name="requireLogoutRequestSigned" value="false"/>
            <property name="requireLogoutResponseSigned" value="false"/>
            <property name="idpDiscoveryEnabled" value="false"/>
            <property name="idpDiscoveryURL" value="http://my.public.ip/webapp/saml/discovery/alias/test:alias"/>
            <property name="idpDiscoveryResponseURL" value="http://my.public.ip/webapp/saml/login/alias/test:alias?disco=true"/>
          </bean>
        </constructor-arg>
      </bean>
    </list>
  </constructor-arg>
</bean>

With this setup it goes directly to the idp login page (as desired) but once I log in there I do NOT get redirected to the root of my webapp. Instead, I get redirected to my.public.ip/webapp/saml/SSO/alias/test:alias with an error:

org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:95)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
    at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:409)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1044)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)
Caused by: org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a4ea0ib7c3af3ia140cib5fb6cei156
    at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:139)
    at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
    ... 31 more

If I change the idpDiscoveryEnabled property to true, then I get presented with the choice of idp-s (in my case it's only one), I have to press the button Start Single Sign-on and only then I go to the idp login page. Once I login I am properly forwarded to the root of my webapp.

Is this related to an error in my configuration? Any hints would be appreciated.

Thank you!