You are using what is called unsolicited response it is specified in the specification so you are not "missing a step". It specified under 4.1.5 in the SAML profile spec
The normal use case is that the user tries to log in to the SP and the SP redirects the user to IDP for authentication.
One implementation you could choose instead is that your portal simply redirects the user to the SP. IF the SP detects that the user dont have a session the SP starts normal SSO against the IDP