I think the error handling of the SAML2 HTTP POST and Redirect bindings does not
conform to the rules set in the SAML2 bindings specification.
In sections 3.4.6 and 3.5.6 of said specification, it is stated that:
"HTTP interactions during the message exchange MUST NOT use HTTP error
status codes to indicate failures in SAML processing, since the user
agent is not a full party to the SAML protocol exchange."
However, this is exactly what happens when an exception is thrown in the SAML2
stack of OpenAM - an HTTP error is returned to the browser, and user interaction
stops there instead of returning to the service provider.
Last tested with OpenSSO 8.0, but reading the latest sources I conclude there
has been no change w.r.t. the behaviour described above.