Hi All, I'm curious whether there are views on whether unsolicited IDP-initiated SAML authentication is an appropriate choice in general to allow SSO into Salesforce from an identity provider?

A few points around this:

1. IDP-initiated SAML in general is susceptible to Man-in-the-Middle attacks possible through CSRF (https://www.identityserver.com/articles/the-dangers-of-saml-idp-initiated-sso, https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/SAML_Security_Cheat_Sheet.md)
2. At least some of the mitigating recommendations in links above are followed by Salesforce (replay detection, preventing open redirects), but these don't provide complete protection - perhaps there's something I'm missing which does?
3. It seems as though when Salesforce itself is set up as an identity provider, it won't initiate an IDP-initiated flow, but will instead redirect to a protected resource so an SP-initiated flow can begin (at least from the app launcher). I wonder if this is done to avoid possible security risks
4. An IDP-initiated flow may be necessary in niche circumstances (legacy IDPs not supporting SAML 2.0 or orgs where my domain can't easily be enabled)

I'm currently putting together an overview of main identity flows and recommending use cases for each, and it would be great to make sure this includes the right message for whether / when to use IDP-initiated authentication. Based on the above I'm thinking the right recommendation is to use SP-initiated SSO only unless one of the points in 4 above apply, but will change this if there's something I'm overlooking?

Many thanks