Well I realized yesterday the stupid thing I did that was causing a lot of my confusion. I thought I was supposed to create a page at /saml/acs to handle the response from the idP. Once I renamed that page to something else, the HttpModule handled everything for me and parsed/validated the response. It also authenticates the user using "Federated" cookie authentication, which I am not familiar with.

So now my question is, is there some way for me to simply get notified that the Saml validation was successful and let me handle the authentication using the normal ASP.NET "Forms" authentication? Basically I just need to look at the NameID coming from the Saml packet and use that to look up the corresponding user in my database and authenticate them.