> I'm not actually sure 3 is possible: I'm not sure whether the return URL
> is covered by the signature.
The signature in a SAML redirect binding URL is over a defined set of
parameters in a particular order, and is not perturbed by additional
parameters (though of course they are not protected by it).
-- Scott
|