There are subtle issues of cryptography, replay attacks, and various other forms of attack that are easily overlooked.
SAML provides protection from replay attacks by requiring the use of SSL encryption when transmitting assertions and messages specifically to prevent interception of assertions.
While the id is randomly generated, it is still subject to replay attacks because it does not timeout (except when idle).
