Hi: I will soon have an SP and an IdP, both of which are behind separate firewalls. Is it possible to integrate the SP with the Idp, without opening the firewall. It will be SAML2, without back-channel transaction; if this is the case, am I correct in making the assumption that all transactions are made via the browser, and opening the firewall is not required? Thanks.