diff --git a/app/controllers/saml_idp_controller.rb b/app/controllers/saml_idp_controller.rb
index e9e62ce95e7..0574eca8815 100644
--- a/app/controllers/saml_idp_controller.rb
+++ b/app/controllers/saml_idp_controller.rb
@@ -21,7 +21,7 @@ class SamlIdpController < ApplicationController
 
   def auth
     capture_analytics
-    return redirect_to_account_or_verify_profile_url if profile_or_identity_needs_verification?
+    return redirect_to_verification_url if profile_or_identity_needs_verification_or_decryption?
     return redirect_to(sign_up_completed_url) if needs_sp_attribute_verification?
     return redirect_to(user_authorization_confirmation_url) if auth_count == 1
     link_identity_from_session_data
@@ -59,14 +59,19 @@ def saml_metadata
     SamlEndpoint.new(request).saml_metadata
   end
 
-  def redirect_to_account_or_verify_profile_url
+  def redirect_to_verification_url
     return redirect_to(account_or_verify_profile_url) if profile_needs_verification?
     redirect_to(idv_url) if identity_needs_verification?
+    redirect_to capture_password_url if identity_needs_decryption?
   end
 
-  def profile_or_identity_needs_verification?
+  def profile_or_identity_needs_verification_or_decryption?
     return false unless ial2_requested?
-    profile_needs_verification? || identity_needs_verification?
+    profile_needs_verification? || identity_needs_verification? || identity_needs_decryption?
+  end
+
+  def identity_needs_decryption?
+    UserDecorator.new(current_user).identity_verified? && user_session[:decrypted_pii].blank?
   end
 
   def capture_analytics
diff --git a/spec/controllers/saml_idp_controller_spec.rb b/spec/controllers/saml_idp_controller_spec.rb
index 6334c475c00..4e5c12d8ad6 100644
--- a/spec/controllers/saml_idp_controller_spec.rb
+++ b/spec/controllers/saml_idp_controller_spec.rb
@@ -231,6 +231,8 @@ def name_id_version(format_urn)
           verified_attributes: %w[given_name family_name social_security_number address],
         )
         allow(subject).to receive(:attribute_asserter) { asserter }
+
+        controller.user_session[:decrypted_pii] = pii
       end
 
       it 'calls AttributeAsserter#build' do
@@ -284,6 +286,15 @@ def name_id_version(format_urn)
         allow(controller).to receive(:identity_needs_verification?).and_return(false)
         saml_get_auth(ial2_settings)
       end
+
+      context 'profile is not in session' do
+        let(:pii) { nil }
+
+        it 'redirects to password capture if profile is verified but not in session' do
+          saml_get_auth(ial2_settings)
+          expect(response).to redirect_to capture_password_url
+        end
+      end
     end
 
     context 'with IAL2 and the identity is not already verified' do
diff --git a/spec/models/device_spec.rb b/spec/models/device_spec.rb
index 2e040326538..43abbdcc802 100644
--- a/spec/models/device_spec.rb
+++ b/spec/models/device_spec.rb
@@ -19,16 +19,16 @@
   describe '#update_last_used_ip' do
     let(:user) { create(:user) }
     let(:remote_ip) { '1.2.3.4' }
-    let(:user_agent) { 'Chrome/58.0.3029.110 Safari/537.36' }
-    let(:uuid) { 'abc123' }
-    let(:now) { Time.zone.now }
-    let(:old_timestamp) { now - 1.hour }
+    let(:old_timestamp) { 1.hour.ago }
     let(:device) { create(:device, last_used_at: old_timestamp) }
 
     it 'updates the last ip and last_used_at' do
-      expect { device.update_last_used_ip(remote_ip) }.
-        to(change { device.reload.last_used_at.to_i }.from(old_timestamp.to_i).to(now.to_i).
-          and(change { device.reload.last_ip }.to(remote_ip)))
+      freeze_time do
+        now = Time.zone.now
+        device.update_last_used_ip(remote_ip)
+        expect(device.last_ip).to eq(remote_ip)
+        expect(device.last_used_at.to_i).to eq(now.to_i)
+      end
     end
   end
 end