After going back to the saml2auth settings for my Plone site, I traced it to the lack of a private key password. It is now added and the sign in flow proceeds without error.
But it simply takes me back to my Zulip login page 
Everything indicates that the Plone site is working as an identify provider now. Now I'm figuring out the "last leg" on the Zulip/SP side of things..