Error blocking SSO to protected resource

Hello,

I have created a contract for a AG protected resources where I don't wont users to get sso.
I have add a authentication level of 15 to the contract (more then next highest level) and have not ticked "Satisfiable by a contract of equal or higher level" so there should be no SSO is my understanding.
The contract relies on a remote IDP for authenticate so the contract got "Satisfiable by External Provider" set and in remote IDP configuration I have set this contract in "Satisfies contract"
It somewhat works, if I authenticate to a page protected my MAG or Saml and then open a new tab and go to the protected resources I get promted to authenticate again exept if I have used one other external IDP doing the first authentication, then I'm getting sso to my protected resource

/Lelle