I've just entered a new idea at ideas.sailpoint.com (https://ideas.sailpoint.com/ideas/IIQ-I-302)
So, I'm chasing for your "dumbs up" and ask to vote the idea up.
The basic idea behind this idea is that there is no possibility to send an signed authentication request to the IdP. We will get a signed answer but the IdP can't validate that the request is coming from a trusted source. By implementing this feature in IIQ, the security of SSO can be lifted up by ensuring that the IdP is getting a request from a trusted source.
Pascal (50.8503° N, 4.3517° E)