So, after doing a fair bit of experimenting I have gotten SAML 2.0 authentication fully working with our Discourse instance. I thought it would be worthwhile posting here in case others would like to do the same thing.
We are running Discourse over HTTPS with a Let’s Encrypt certificate (although the exact issuer is irrelevant, the fact that it’s running over HTTPS is important). As per the first message in this thread, the callback from the iDP was being sent to the HTTP version of our site, not HTTPS.
EDIT: Sorry, there’s a mistake above. It should read the callback from the iDP was being sent to the HTTPS version of our site, but Discourse was expecting it to be sent to the HTTP version.
Despite changing all the settings I could find in Discourse to force HTTPS it still didn’t want to cooperate, and I couldn’t find an easy way change the Discourse.base_url to be HTTPS, rather than HTTP.
So, I did a bit of a hacky solution. I forked the discourse-saml repo on GitHub and replaced the four references to Discourse.base_url with the hardcoded HTTPS URL to our Discourse instance (e.g. https://forum.example.com). I then referenced that repo as the plugin in the app.yml file (so that it used my version instead) and all worked.
Additionally, thanks to @sam on this thread I also made another modification which means that if SAML is the only authentication method being used (which it is for our instance, we have disabled local user accounts) it won’t pop-up for authentication but will instead follow through in the main web browser window. Makes the flow a bit nicer, without additionally windows popping up everywhere.