currently, serialize/unserialize is used to flatten objects for storing in session data. This should really not be done, especially when storing sessions not on the local filesystem...
fkooman/secookie supports JSON serialization now, which is great, but php-saml-sp itself still does serialization as well for some reason, that is not great!
perhaps fkooman/secookie can also implement a serialize/unserialize with hmac support so we can solve this in the easy way...