Proxy IdP hybrid question local and remote IdPs

[Mak, Steve]

Hi all.

I'm trying to figure out how to solve the following use case:

For a specific SP we need to present users with the ability to choose either my IdP or a remote IdP for authentication. (preferably at the authn/Password view step)
We don't control the SP so we can't force discovery at the SP level at this time.



I've figured out how to setup proxy IdP for 1 SP using 
- filter with xsi:type=Issuer
- resolver SubjectDerivedAttribute with a Subject DataConnector
- mfa script to route to authn/SAML for the SP and bypass 2FA
- set the optional SAML.discoveryFunction to the 1 IdP we'll use
- activated the c14n/attribute flow
- set my c14n.attribute.AttributesToResolve and SourceIds to the resolver SubjectDerived id


This appears to have the side effect of causing c14n/attribute to run for ALL authn flows, not just authn/SAML unless I create an activationCondition script to bypass c14n/attribute conditionally. I also notice that before it did not attempt to canonicalize after authn/Password, but now it does. While I don't really mind the extra log lines, I'm worried that I did something wrong.


Questions:
1. Did I do this correctly? I was hoping c14n/simple would still be chosen for my other SPs.
2. I don't see an ability to use my IdP vs remote IdP for a single SP, is proxy intended for this?
3. Is Proxy IdP intended to be used in a hybrid c14n context?


Thank you,
Steve Mak