Just a quick follow up.We have not completed this 100% to our satisfaction but we are making progress. Here is some documentation of what we have done so far.
At this point we managed where a user that does not exist will get the the Identity Provider page. Then if it is an unknown user in the iDP they get the Portal login page. The User and Password fields do not work on the login page. Even with a correct user and password one cannot go any further. Ideally they would not get the Portal login screen but get passed back to the Identity Provider page.
We did this by:
1. Create a custom template based on the ticket template.
2. Add SAML2LoginModule to the authentication stack. Remove the BasicPasswordLoginModule.
3. Include Forced Reauthentication
4. In Authentication and Single Sign-On we changed ticket to our custom template.
5. We edited the Authschemes.xml and changed the default value to our custom one.
In the custom Authschemes.xml we pointed the Portal login to our custom template (where the arrow points).
Instructions on editing the authschemes.xml can be found in SAP here.
http://help.sap.com/saphelp_nw73/helpdata/en/1a/3afd4e641b8f42ac07bb77fe30375b/content.htm