At the November TAC F2F, we discussed having a matrix of best practices by which to evaluate registered sites to help set expectations and create peer pressure. This is a preliminary set of suggested criteria.
Policy
- POP Available
- For SPs, this may be reduced to attribute requirements and privacy policy (both in metadata)
- Appropriate Contacts
- Federated Incident Response Process
Technical Basics
- Regular Metadata Refresh
- Maintaining Unexpired Certificates
- SAML 2.0 Support
- IdPs with TLS-protected HTTP-Redirect SSO
- SPs that support SAML 2.0 should indicate so in metadata
- SPs with TLS-protected HTTP-POST ACS and an encryption key
- SAML 1.1 Support
- SPs with TLS-protected HTTP-POST ACS
Operational Maturity
- Maintaining Supported Software
- Operational Compliance with Metadata IOP
- Federation a "First Order" UI
- Discovery
- Choices offered should result in an "acceptable" experience
- Error Handling
- Look and Feel
- Useful Contacts
Maximizing the Federation
- Documented Attribute Release Process
- Support for SAML 2.0 "persistent" NameID or eduPersonTargetedID
- Release of "basic" attributes w/o admin involvement (via consent or otherwise)
Parked Items
- Keys of less than a certain age
- We should consider what, if any, age is actually "too old"
- Full saml2int conformance
- InCommon Implementation Profile conformance
- Could identify "exceptions to conformance" to highlight specific missing capabilities or could break profile into separate features in the matrix