Significant profiling of SAML should be unnecessary because the Shibboleth software already provides sufficient coverage of the options that might come up. The ECP client role does not impose significant implementation costs, so it should be adoptable in full.
ID-WSF, on the other hand, is a much more complex set of specifications with many options and advanced features. For our purposes, we will profile this down severely in the initial stages. We can admit new options as they become needed.
We propose the following:
urn:liberty:security:2006-08:ClientTLS:peerSAMLV2
and the urn:liberty:security:2005-02:TLS:Bearer
security mechanisms for authentication of services to the IdP. This avoids a requirement for complex signature creation on the part of the ECP client, and allows for either bearer or holder-of-key authentication via a SAML assertion.
urn:liberty:security:2006-08:TLS:SAMLV2
mechanism can be implemented, but this will require profiling WS-Security sufficiently to keep the work manageable.