Hi Martin,
That sounds like a solution – just missing some background knowledge about “session management” in Tyk to fully understand the direction you are pointing me into…
With SAML 2.0 the SP (API gateway here) retrieved upon initial request the SAML envelope with assertions. Based on the assertions a “session” (?) needs to be created on the SP to identify subsequent requests as being authenticated.
What does Tyk set (a session cookie??) in order to identify these subsequent requests and how does it handle then session replication to other Tyk instances here?
Feel free to refer me to the docs with an RTFM remark 
Best – Robin