APM as SAML SP and multiple host names

I spent some additional time looking at options, and came to discover one important (and admittedly annoying) nuance of the APM IdP: it matches on both the AssertionConsumerServiceURL and EntityID values of the bound SP config. I wrote a layered LTM VIP iRule to try to change either on the way out (to adjust for the actual host name), but got the same error in both cases:

SSOv2 Error: No SP Connector attached to SAML SSO (/Common/idp.domain.com) matching authentication request. If ACS URL is present in authentication request it should match ACS URL from SP Connector. If Issuer is present in authentication request it should match entity_id from SP Connector.

So because the ACS and EntityID values are bound to the SP config, which is bound to the IdP, you cannot dynamically change them in flight. I know it seems taxing, but doing the layered approach with one LTM external VIP and 6 internal APM VIPs (with individual SP configs all bound to the single IdP) may be the least complicated way to make this work.