In our case, the IDP just returns the SAML response from where the request came from. I am not sure what other IDPs would do if there is a PicketLink SP. If you are using the PL IDP, you can just set it to the sp url.
Just wondering if there is any successful use case integrating Layer 7 XML Firewall with Picketlink. Would appreciate if you can share your experience. We are currently working on a large scale project which will need to get this use case implemented.