diff --git a/src/OpenConext/EngineBlockBundle/Configuration/TestFeatureConfiguration.php b/src/OpenConext/EngineBlockBundle/Configuration/TestFeatureConfiguration.php
index 7d4167991..4a13a5a00 100644
--- a/src/OpenConext/EngineBlockBundle/Configuration/TestFeatureConfiguration.php
+++ b/src/OpenConext/EngineBlockBundle/Configuration/TestFeatureConfiguration.php
@@ -46,6 +46,7 @@ public function __construct()
         $this->setFeature(new Feature('eb.feature_enable_consent', true));
         $this->setFeature(new Feature('eb.enable_sso_session_cookie', true));
         $this->setFeature(new Feature('eb.stepup.sfo.override_engine_entityid', false));
+        $this->setFeature(new Feature('eb.feature_enable_idp_initiated_flow', true));
     }
 
     public function setFeature(Feature $feature): void
diff --git a/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Consent.feature b/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Consent.feature
index ea31d0eb6..ff6e02c9a 100644
--- a/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Consent.feature
+++ b/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Consent.feature
@@ -80,13 +80,6 @@ Feature:
      And the response should contain "Motivation for affiliation"
      And the response should contain "Motivation for orcid"
 
-  Scenario: The user is presented with an institution provided consent text
-    Given I log in at "Dummy-SP"
-    And the IdP "Dummy-IdP" provides a consent message "Institutional privacy message" for SP "Dummy-SP"
-    And I pass through EngineBlock
-    And I pass through the IdP
-    Then the response should contain "Institutional privacy message"
-
   Scenario: The user can reload the consent screen without error
     Given I log in at "Dummy-SP"
      And I pass through EngineBlock
@@ -95,6 +88,13 @@ Feature:
     When I reload the page
     Then the response should contain "Proceed to Dummy-SP"
 
+  Scenario: The user is presented with an institution provided consent text
+    Given I log in at "Dummy-SP"
+    And the IdP "Dummy-IdP" provides a consent message "Institutional privacy message" for SP "Dummy-SP"
+    And I pass through EngineBlock
+    And I pass through the IdP
+    Then the response should contain "Institutional privacy message"
+
   Scenario: The user sees the identifier section when nameid is persistent
     Given SP "Dummy-SP" uses the Persistent NameID format
     And I log in at "Dummy-SP"
diff --git a/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/UnsolicitedSingleSignOnDisabled.feature b/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/UnsolicitedSingleSignOnDisabled.feature
new file mode 100644
index 000000000..0f86bb2b3
--- /dev/null
+++ b/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/UnsolicitedSingleSignOnDisabled.feature
@@ -0,0 +1,18 @@
+Feature:
+  In order to disable unsolicited single sign On
+  As an administrator
+  I want to be able to disable unsolicited login
+
+  Background:
+    Given an EngineBlock instance on "vm.openconext.org"
+    And feature "eb.feature_enable_idp_initiated_flow" is disabled
+    And no registered SPs
+    And no registered Idps
+    And an Identity Provider named "Dummy IdP"
+    And a Service Provider named "Dummy SP"
+
+  # The feature flag: eb.feature_enable_idp_initiated_flow can disable unsolicited login
+  # EB Shows a 404 page in that case as the entire HTTP route is blocked in that case
+  Scenario: Engine disallows unsolicited login
+    When An IdP initiated Single Sign on for SP "Dummy SP" is triggered by IdP "Dummy IdP"
+    Then I should see "404 - Page not found"
diff --git a/src/OpenConext/EngineBlockFunctionalTestingBundle/Resources/config/controllers.yml b/src/OpenConext/EngineBlockFunctionalTestingBundle/Resources/config/controllers.yml
index f100e9bbf..109fbf965 100644
--- a/src/OpenConext/EngineBlockFunctionalTestingBundle/Resources/config/controllers.yml
+++ b/src/OpenConext/EngineBlockFunctionalTestingBundle/Resources/config/controllers.yml
@@ -33,3 +33,16 @@ services:
         arguments:
             - "@engineblock.mock_clients.mock_stepup_gateway"
             - "@twig"
+
+    engineblock.controller.authentication.identity_provider:
+        class: OpenConext\EngineBlockBundle\Controller\IdentityProviderController
+        arguments:
+            - "@engineblock.compat.application"
+            - "@twig"
+            - "@engineblock.compat.logger"
+            - "@engineblock.service.request_access_mailer"
+            - "@engineblock.validator.sso_request_validator"
+            - "@engineblock.validator.saml_binding_validator"
+            - "@engineblock.validator.unsolicited_sso_request_validator"
+            - "@engineblock.service.authentication_state_helper"
+            - "@engineblock.functional_testing.fixture.features"