Wanted to add/summarize a good point regarding ACS (from this mod_auth_mellon thread):
https://code.google.com/p/modmellon/issues/detail?id=28

Basically, IdP should default to using ACS specified in its sp-metadata.xml UNLESS the authn request has been signed. This prevents a malicious actor from spoofing a bogus ACS url in the authn request.