For what its worth, and even though this post may best be posted in a different thread, I'll still risk the post delete. I think, for a simple example, a reverse-proxy VPN software, like tailscale.com, could act as a surrogate iDP. Insread of having to chose between using either the "IDP side user end" sign-on authentication OR the "SP Initiated sign-on" option, a single reverse-proxy VPN could address both choices, simultaneously, and completely