We wrote our own IdP back in the day. It was a cool project, Single Sign On, Single Sign OUT, User provisioning, just all sorts of stuff.
And it worked! It's amazing when it works, it's just like magic. You giggle when it works.
We did all sorts of integrations. To random Service Providers, integrating with other IdPs, etc. Some were really cool. Great functionality.
But I simply float this one caveat.
It was never "painless". Ever. It was always pulling teeth.
The dark truth is you can have the best IdP in the world, but everyone on the other side of the conversation is a black box. You get a lot of payloads simply shipped into the void, never to be seen again, consumed for some unknown reason.
Add to that the very often the people you're integrating with have no concept of SAML, its workflows, its payloads, etc., much less the capabilities of their own stack in regards to SAML. So you get to train them (and learn about their system) at the same time.
We never had real problems with signing and formatting and such that folks worry about. It was mostly just diagnosing black boxes more than anything, the endless black hole of cert management, etc.
So, good luck! I hope it works for you! It's a neat space to play.
SPF, DMARC, DKIM is setup correctly. Domain name A/AAA/TXT/MX records all setup and propagated throughout the world. Mail server tested with external tools like mail-tester.com
…
But there is a whole new world of “other mail servers” now. Some mail servers are okay. Delivery works fine. Some mail servers have odd policies and implement strict block lists and maintain their own rep of each domain/sender.