@matthew.plant you know our use case so you may be able to help 
The relaying party here is Salesforce, and we start the journey there.
I read this - https://assets.ctfassets.net/2ntc334xpx65/7pXoFWwEciDBmxEklweBKL/2621fe2b79c932fcddecb711bd6679fd/the-openid-connect-handbook-1_1.pdf and I believe what is being asked for above breaks the flow:
1. Visitors request the app to start the authentication process 2. The application redirects visitors to the identity provider 3. The identity provider redirects visitors back to the application with a few artifacts 4. The application uses these artifacts to issue a request to the identity provider to complete the authentication process 5. The application shows a page to users containing some indication that they are logged in