Like the person here...
Using Kentor.AuthServices.StubIdp as production IDP
...I'm not that familiar with SAML. The commenter mentions that additional checks would be needed to validate the incoming requests but does not include what sorts of checks should be made to ensure that they're valid (I would have added a comment there but unfortunately this site won't let me yet).
Are there any pages that go into more detail in regards to the checking that ought to be done and how to go about doing it? For that matter are there any tutorials on how to use this in a wider sense?
I'm trying to come up with an IDP that will just pass the username and password to a function. This function will return whether the details are valid or not, and then the IDP would send back something to the client to show whether the function has succeeded or not (presumably a token of some sort on success). This is only intended to be an intermediate step and the IDP will be required to do the checking itself later on.
Any idea how to achieve this?
Either way I would still be interested to know what checks should be done to keep things secure.
The checks I refer to in that other answer is those mandated by the SAML2 standard documents. They are very specific in what validations should be done by a conforming Idp.