IDP Initiated SSO - Few Questions


I am getting familiar with Component Spec APIs for SSO, particularly IDP Initiated SSO. I have few questions.

1) From the description of this scenario, it looks like
(Local) IDP InitiateSSO is called first passing the Response Assertion details, (and attributes, relay state etc)
(Partner)SP’s ReceiveSSO is called later

So, it looks like this is a one way communication. How will the SP communicate to IDP after above step, in case the situation demands that… ? I am not quite sure but the rules might require to exchange multiple handshake initiating from SP to IDP… Can SP use SP.SendSSO and IDP calls ReceiveSSO for this scenario? Then Can IDP call SendSSO and SP calls ReceiveSSO ? I do not see this in the documentation for IDP Initiated SSO.

2) For Service Provider, using another SAML API framework, what all IDP needs to provide to them ?
IDP .cer file -
I am little confused here… as IDP, they could have secured web site which has certificate… Is this certificate to be provided ? Or any dummy certificate generated thru X509 process ?
SingleSignOnServiceUrl - What is the use of this for SP ? Since it looks like the whole flow is one way communication…

  1. IdP-initiated SSO involves a single message, a SAML response, being sent from the IdP to the SP.
    No other messages are involved.
    The SAML specification doesn’t allow the SP to communicate with the IdP in this flow.
    SP-initiated SSO involves two messages.
    The SP sends a SAML authn request to the IdP.
    The IdP sends a SAML response to the SP.

    SAMLIdentityProvider.InitiateSSO sends a SAML response as part of IdP-initiated SSO.
    SAMLIdentityProvider.ReceiveSSO receives a SAML authn request and SAMLIdentityProvider.SendSSO sends a SAML response as part of SP-initiated SSO.
    SAMLServiceProvider.InitiateSSO sends a SAML authn request as part of SP-initiated SSO.
    SAMLServiceProvider.ReceiveSSO receives a SAML response as part of IdP or SP-initiated SSO.

    2) For IdP-initiated SSO support, the IdP needs to provide the following to the SP:
    - IdP entity ID (aka provider name) which is the Name in your saml.config
    - IdP .CER certificate file which corresponds to the .PFX file specified as the LocalCertificateFile in your saml.config.

    The certificate is used by the SP to verify XML signatures on SAML responses or assertions from the IdP.

    The SingleSignOnServiceUrl is only required if supporting SP-initiated SSO. It’s the endpoint to receive SAML authn requests.