I'm still having fun in my IDP quest. I've successfully navigated the X509V3Credential issue thanks to some help from the MSDN board and despite some apparently bad or outdated MS doco.
What does that mean? I'm accepting requested along with a client certificate (which I trust), which is then included into the card I issue. When the user selects the card, the CardSpace client will retrieve the certificate from the appropriate store and use it for authentication back to the IDP. The IDP will retrieve attributes based on the certificate subjectDN from an LDAP, and send them back to the user in a SAML assertion. And then it dies.
Why? I'm not including the right WS Security headers in the response, if the CardSpace logging is to be believed. Which ones do I need to include? Got me. I don't know if it's a requirement set by the CardSpace client or by WS-Trust (which I'm admittedly not terribly knowledgeable about), but I'm working on it now. I'm going to review the spec to hopefully find some insight on the problem.