Oh, and the follow up to this is just that I suspect you can work around their bug by using a SAML implementation that generates a proper signature. It is essentially all but universal in practice to include a second Transform for Exclusive c14n.
-- Scott
