Use assertion id for session index

This was a privacy issue because this allows different SP to correlate
users, defeating persistent and transient NameID mechanisms.
#41

library/EngineBlock/Corto/ProxyServer.php

@@ -666,7 +666,7 @@ public function createEnhancedResponse(
 
         // Copy over the Authentication information because the IdP did the authentication, not us.
         $newAssertion->setAuthnInstant($sourceAssertion->getAuthnInstant());
-        $newAssertion->setSessionIndex($sourceAssertion->getSessionIndex());
+        $newAssertion->setSessionIndex($sourceAssertion->getId());
 
         $newAssertion->setAuthnContextClassRef($sourceAssertion->getAuthnContextClassRef());
         $newAssertion->setAuthnContextDeclRef($sourceAssertion->getAuthnContextDeclRef());