From review of Guillaume's password replay PR 44, where we add support for password replay but don't make any recommendations regarding how credentials are acquired (captured) in the first place.
What use cases do we want to support for deriving the user name and password to be replayed from the incoming front-end user's request? At the moment we assume that the username and password can be recovered from somewhere, but where? Decryption of a cookie assumes a tight cryptographic coupling between OpenIG and the service performing the authentication. It also assumes that the credentials used in the AS are the same as those used in the backend service, which may not always be the case will it? What if we're trying to provide SSO for a number of different services which already have loads of legacy users provisioned to them?
It would be cool to have a mechanism which "learns" to do SSO on behalf of a user by associating lazily acquired backend credentials with the front-end user's OIDC identifier (issuer/subject). In other words, users do single sign on using OIDC and then we monitor for login attempts against backend services. When a user authenticates to the backend service we intercept the credentials and store them in a table keyed on OIDC identifiers (effectively a key ring). Then, the next time the user access the same service, they'll be logged in automatically: OpenIG will detect the backend service's login page, then automatically responds using the front-end user's credentials taken from their keyring.