diff --git a/model/res_users.py b/model/res_users.py
index 970c8ed11a4b05f3a67de5b4a5e65395e50fa3fb_bW9kZWwvcmVzX3VzZXJzLnB5..ba434b7d32497de74f0dcdc5a7b9706f615d12a1_bW9kZWwvcmVzX3VzZXJzLnB5 100644
--- a/model/res_users.py
+++ b/model/res_users.py
@@ -1,3 +1,4 @@
 # -*- encoding: utf-8 -*-
 import logging
+# this is our very own dependency
 import lasso
@@ -3,4 +4,6 @@
 import lasso
+# this is an odoo8 dep so it should be present 'by default'
+import passlib
 
 import openerp
 from openerp.osv import osv, fields
@@ -28,7 +31,7 @@
         password.
         """
 
-        if self._allow_saml_uid_and_internal_password(cr, context):
+        if self._allow_saml_uid_and_internal_password(cr, uid, context):
             # The constraint is a no-op in this case.
             return True
 
@@ -43,7 +46,7 @@
         (
             _no_password_with_saml,
             (
-                'SAML2 authentication: An Odoo user cannot posess both an '
+                'SAML2 authentication: An Odoo user cannot possess both a '
                 'SAML user ID and an Odoo password.'
             ),
             ['password', 'saml_uid']
@@ -58,10 +61,10 @@
         ),
     ]
 
-    def _auth_saml_validate(self, cr, uid, provider, token, context=None):
+    def _auth_saml_validate(self, cr, uid, provider_id, token, context=None):
         """ return the validation data corresponding to the access token """
 
         p = self.pool.get('auth.saml.provider')
         # we are not yet logged in, so the userid cannot have access to the
         # fields we need yet
         login = p._get_lasso_for_provider(
@@ -62,13 +65,13 @@
         """ return the validation data corresponding to the access token """
 
         p = self.pool.get('auth.saml.provider')
         # we are not yet logged in, so the userid cannot have access to the
         # fields we need yet
         login = p._get_lasso_for_provider(
-            cr, SUPERUSER_ID, provider, context=context
+            cr, SUPERUSER_ID, provider_id, context=context
         )
 
         try:
             login.processAuthnResponseMsg(token)
         except (lasso.DsError, lasso.ProfileCannotVerifySignatureError):
             raise Exception('Lasso Profile cannot verify signature')
@@ -69,9 +72,11 @@
         )
 
         try:
             login.processAuthnResponseMsg(token)
         except (lasso.DsError, lasso.ProfileCannotVerifySignatureError):
             raise Exception('Lasso Profile cannot verify signature')
+        except lasso.ProfileStatusNotSuccessError:
+            raise Exception('Profile Status Not Success Error')
         except lasso.Error, e:
             raise Exception(repr(e))
 
@@ -186,7 +191,7 @@
         try:
             super(res_users, self).check_credentials(cr, uid, token)
 
-        except openerp.exceptions.AccessDenied:
+        except (openerp.exceptions.AccessDenied, passlib.exc.PasswordSizeError):
             # since normal auth did not succeed we now try to find if the user
             # has an active token attached to his uid
             res = token_osv.search(
@@ -209,7 +214,7 @@
         """
 
         if vals and vals.get('saml_uid'):
-            if not self._allow_saml_uid_and_internal_password(cr, context):
+            if not self._allow_saml_uid_and_internal_password(cr, uid, context):
                 vals['password'] = False
 
         return super(res_users, self).write(
@@ -217,6 +222,10 @@
         )
 
     def _allow_saml_uid_and_internal_password(self, cr, uid, context):
+
+        # super user is always allowed to have a password in the database
+        # as opposed to other users... Doing so avoids being locked out
+        # of your own instance in case there is an issue with your IDP
         if uid == SUPERUSER_ID:
             return true
         setting_obj = self.pool['base.config.settings']