Why does AWS VPN client SAML uses HTTP for ACS

I'm working on setting up an AWS client vpn to use EntraID as the SAML IDP. There is an odd set of steps in both the AWS and Microsoft implementation guides. They require configuring the Assertion Consumer Service (ACS) to use HTTP for the local host. I'm trying to work this out and any security ramifications. Typically you do not want the ACS communication clear text because that can let somone else interrupt or intercept the authentication materials inlucding the access token. With the ACS being set to a local host value I am very confused. The ACS is typically hosted at the SP service. Can anyone explain why the ACS is setup the way it is? What are the practical security issue with this config? My best guess is that the AWS VPN client gets the SAML response from the IDP then proxies the ACS through the tunnel. But I'm guessing at that. Resources; [https://aws.amazon.com/blogs/apn/how-to-integrate-aws-client-vpn-with-azure-active-directory/](https://aws.amazon.com/blogs/apn/how-to-integrate-aws-client-vpn-with-azure-active-directory/) [https://learn.microsoft.com/en-us/entra/identity/saas-apps/aws-clientvpn-tutorial](https://learn.microsoft.com/en-us/entra/identity/saas-apps/aws-clientvpn-tutorial) ​