In order to continue ensuring that invalid conditions, which would represent security issues, are correctly detected, we need some better test coverage. Currently, we have many places where we throw exceptions if there are problems with SAML processing. However, we don't have test coverage for these conditions.

It is currently possible to modify code to allow an unsafe condition through as valid SAML and still have all the existing tests pass. It is very difficult to catch such cases in code review. Thus, we need to add tests that will cover every exception that we throw so that we can ensure these invalid cases are always detected correctly.