Identity provider-initiated flow comes with risk of login CSRF attack. But Auth0 has a suggestion, which is to create another round trip.
Usually, here’s the flow for service provider-initiated flow where the flow starts with the app. In the example, Auth0 is the service provider and Okta is the identity provider.
app > auth0 (sp) > okta (idp) > auth0 (sp) > app
With IdP-initiated flow:
okta (idp) > auth0 (sp) > aa
The request is unsolicited. That’s where login CSRF attack may happen. A browser can be tricked into logging in with another identity. To mitigate that, auth0 suggested to make a roundtrip to auth0:
okta (idp) > auth0 (sp) > app > auth0 > idp > auth0 > app