Thanks - unfortunately there's no appetite to deploy another IDP - we're heavily invested in Okta so we'd like to use this really.
It looks entirely possible to do - I just could use some advice with what values to set for the login redirect URIs on both sides / the SP and the IDP.
I have a ticket open with VMware support but I think this is uncharted territory for them - they're asking re: 'What errors are you getting' etc. I'm not really at that point - I could guess some values to generate errors, but not sure if that's a sensible way to progress the conversation! 
I'll keep hacking away, but if there's any bright spark out there who's done this, I'd appreciate talking to them!