Redirect unauthentication traffic to saml idp from ltm vs.

HI I am trying to configure the f5 to act as an Saml Idp. I have an application which is currently configured to act as an external sp. (the application sites behind an ltm virtual server, the ltm just load balances the connection to the servers which host the application.) When the user goes to the application it confirms that the user is not authenticated and redirects to idp and an assertion is generated, that seems sucessful. however obviously the initial connection to the app is unauthenticated and I have been asked to ensure that no unauthenticated traffic is passed through to application. I am new to saml so I've not having much sucess atm, do I need to configure the f5 as an sp as well, and if so how do redirect to the application after the assertion has been generated. Apologies in advance if unclear, suffering from lack of sleep and too much coffee, is is the a simpler mechanism and i cant see the forrest for the trees ?