Module does not include a salt in the generated pairwise-id

Not considered a serious issue. The threat model of being able to spoof the proxy is minimal: presuming the proxied IdP XML encrypts the assertions, one would need access to the proxy's decryption key to be able to extract the opaque eduPersonTargetedID, and this typically happens if an attacker has access to the whole of the proxy (and hence the salt, too).