[jahewson]

IDP-initiated flows are less secure, as they cannot prevent unsolicited logins. Last time I checked Google went as far as to block this flow in their Firebase Auth product.

https://www.identityserver.com/articles/the-dangers-of-saml-...