I currently have a working IDP Proxy Structure and will need to integrate an application which only supports OIDC SSO into this structure. In my opinion, I would l like to add a relay party that contains the login URL of the OIDC application. When users want to login to the OIDC application, they don’t visit the address of the OIDC application directly. They will visit the relay party and then be authenticated through SAML using IDP Proxy. After the cookie is generated in the Proxy Layer and the assertion is sent to the relay party, the relay party will trigger the OIDC flow between the application and the proxy layer. Because the user’s session is already generated, he/she doesn’t need to authenticate and the application could directly get the Authorization Code and can use the code to exchange for id_token and access_token. I wonder if this design is cost-efficient and if there is any better design?