Just to clarify does it work like this:
SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out authnContext, out userName, out attributes, out targetUrl);
Does the "username" correspond to the NameID
Then authentication is marked successful
What happens if after this is done, I replace username with a different attribute (such as email).
Then recall: FormsAuthentication.SetAuthCookie(userName, false);
Then then the user signs out.
SAMLServiceProvider.InitiateSLO(Response, null, null, partnerIdP);
Send the NameId from the session still or is it pulling from the cookie username variable?