The IdP needs a way to protect its own administrative features (few of which currently exist) with the authentication layer it uses for the SSO protocols. This is about the only web application I would ever argue should "do" authentication itself.
Some kind of hook for authz would be desirable, but I would be very hesitant to build it out beyond an interface so that we're not reinventing that wheel right now. Something like what I already built for that might be workable, don't know yet.
It would be simple to just prototype how a particular webflow could call into the authentication layer for its own use. Maybe that's good enough. It seems weird to think about adding some kind of additional "session" with the IdP to access its own features and not just use the one we have for SSO.