Added a section about this to the docs since it's quite non-obvious. In effect, you really have to set your policies in the proxy to match the policies used by the upstream IdP. -- Scott