Survey security of using SAML plugin in production and test against standard IDPs

Since SAML plugin will ship with 4.5, and while it's not enabled by default we need to do a lot of testing and make sure whatever we're shipping works generally in most cases. While the protocol does not dictate what different metadata an IDP should return other than NameID (like a UUID), it needs to work just based on that and provide other mechanisms to support additional metadata such as email, name, timezone etc.

The other main aim is to test various possible loopholes it could have or exploits or bad conflicts with respect to transient vs non-transient/unique NameIDs and SAML token signature checking as well as HTTP-redirected authentication process. Final set of tests (possibly automated tests) or manual QA against known standard IDP implementations for example openidp, ssocircle, shibboleth etc.