...
- Further authenticating the legitimate requesting party: (Could this actually work if you have a trust elevation chain with "strong auth", effectively a fresh transient AAT, after claims-gathering? Since the victim completes any claims-gathering and even authentication at the AAT level under his own session ID before the attacker takes over again, the strongest of authentication protection makes no difference. (However, for attacks for which strong authentication and similar mitigations apply, see this section of the UMA Security Considerations.)
- Warning the victim what the client has redirected him to the AS for: It is already good practice for the AS to give cues as to the client's purpose, but this is weak and known to be insufficient in current potential phishing situations.