Script expects service result BadIdentityTokenRejected

The UserIdentityToken contains a poilcy ID which is not exposed by server e.g. "Anonymous_Channel" but the server exposes "Anonymous".
From my point of view this is an invalid UserIdentity and the server should return BadIdentityTokenInvalid.

In general it is not clearly stated in part 4 - ActivateSession in which cases the service results shall be used

• Bad_IdentityTokenInvalid
• Bad_IdentityTokenRejected
• Bad_UserAccessDenied
  In general I would assume that "Bad_UserAccessDenied" can be completely omitted and "Bad_IdentityTokenRejected " should be used for these cases.
  Since part 4 does not cleary state the usage, CTT should accept more than exatcly one result.

At least our server returns

• Bad_IdentityTokenInvalid if the token type is not supported (e.g. IssuedToken)
• Bad_IdentityTokenRejected if a X509 certificate user certificate is not trusted
• Bad_IdentityTokenInvalid if an empty username is provided (I assume this special handling was introduced for CTT)
• Bad_UserAccessDenied if a username / password is invalid / not known
• Bad_IdentityTokenInvalid if an unkown policy ID is provided

All service results are accepted by CTT - except the last one (as far as I know issued token are not tested).
If would be easy to adapt our server to the expected BadIdentityTokenRejected, but from my point of view the token is anvalid (similar to not supported token type).