...
- Documented Attribute Release Process
- IdPs SHOULD support the
urn:oasis:names:tc:SAML:2.0:nameid-format:persistentname identifier format and/or theeduPersonTargetedIDattribute- stored or computed? (there are disadvantages with each approach)
- IdPs SHOULD support the
urn:oasis:names:tc:SAML:2.0:nameid-format:transientencrypted name identifier format (requires Shib IdP 2.3)- since this identifier can be reversed, it is especially useful for security incident response
- Release of "basic" attributes w/o admin involvement (via consent or otherwise)
- Strawman: It is RECOMMENDED that
eduPersonScopedAffiliation,eduPersonEntitlement, andeduPersonTargetedIDbe released across the board, to all SPs. The five (5) remaining attributes listed on the InCommon Federation Attribute Summary page SHOULD be released to all SPs provided user consent is obtained. In both cases, we're referring to all SPs in the InCommon Federation.
- Strawman: It is RECOMMENDED that
Parked Items
- Keys of less than a certain age
- We should consider what, if any, age is actually "too old"
- Full saml2int conformance
- InCommon Implementation Profile conformance
- Could identify "exceptions to conformance" to highlight specific missing capabilities or could break profile into separate features in the matrix
...