Hi @mcoop
Welcome to the Auth0 Community!
I am sorry for the late reply to your post and hopefully you have managed to find a solution, however, if you have not I can provide you some extra insight for your implementation.
Indeed the SAML2 Web App add-on is the correct approach for your use case. In order to set one of your applications ( the SPA app in your case) as an SAML IdP, the add-on must be enabled and it can be configured from there. Setting your SPA app to be the SAML IdP for the connection should not affect your login flow, you can also create a new application for that purpose.
For more documentation regarding implementing the SAML SSO, you can visit this or learn how to set up the SAML IdP here.
Instead of building an IdP-Initiated SSO on your Auth0 tenant, I would recommend to implement on your SPA application where the user clicks a link to redirect them to the 3rd party app to make an /authorize call back to your tenant in order to authenticate them.
GET https://YOUR-AUTH0-TENANT.REGION.auth0.com/authorize?
response_type=code|token&
client_id={{ client_id of your 3rd party app&
connection={{SAML connection that the user authenticated through the SPA app&
redirect_uri={URL of your 3rd party app}
Otherwise, if you still want to continue with your initial approach, you can view on this post which explains how to set up an IdP SAML SSO or view our documentation on this matter.
If you have any additional questions, please feel free to reply back.
Kind Regards,
Nik