...
- Support only the
urn:liberty:security:2006-08:ClientTLS:peerSAMLV2and theurn:liberty:security:2005-02:TLS:Bearersecurity mechanisms for authentication of services to the IdP. This avoids a requirement for complex signature creation on the part of the ECP client, and allows for either bearer or holder-of-key authentication via a SAML assertion.- Should message signing be a desirable approach, the
urn:liberty:security:2006-08:TLS:SAMLV2mechanism can be implemented, but this will require profiling WS-Security sufficiently to keep the work manageable.
- Should message signing be a desirable approach, the
- Require that the EndpointReference information for the IdP's SSOS signal either that no security token is required (unlikely), or that the enclosing assertion in which the EndpointReference appears is to be used. Embedding additional tokens or referencing other external tokens will not be supported.