The SAML Service Provider implemented in Domino 10 is much better than in the previous versions and integrates without a problem with all standard-complying IdPs.
However, one important feature is missing and that is Single (a.k.a. Global) Logout.
In the current implementation, when a user logs out from Domino, Domino does not end session with the IdP. Since the browser still possesses session information from the IdP, a user (same or another!) only needs to access Domino server again and he/she will be granted access.
This shortcoming is described in the document Using Security Assertion Markup Language (SAML) to configure federated-identity authentication on page 45.
We need a functioning Single Logout in order to provide truly secure solutions that do not depend on users remembering multiple steps required to completely log-out.