We will need an authenticator that the ServiceProvider can configure that has both the SAML11 idp_initiated_behavior authenticator and SAML2 SP_initiated_sso behavior. The authenticator can have a flag to indicate which is needed (whether SAML11 or SAML2 but not both).