Service Provider MUST use DNS to publish its network addresses in a symbolic form. This requirement facilitates reconfigurations of the network. It is a well accepted "best practise".
Service Provider's business processes MUST be modelled.
Service Requester SHOULD NOT log, even in encrypted form, the the tokens destined to the Service Responder or other parties if threat T107-LogTokLeak is a concern. If audit trail requires logging tokens, then the tokens must be blinded so that the correlatable part is not visible or the token MUST be encrypted such that legitimate viewers of audit trail can decrypt it, but SP itself can not.
Compliance with this requirement is established with audits.
Service Provider MUST have user's consent before leaking a correlation handle of any kind.
Service Provider MUST implement Well-Known Location (WKL) method of metadata export, see [SAML2meta] section 4.1 "Publication and Resolution via Well-Known Location", p.29, for normative description of this method.
Service Provider MUST implement Well-Known Location (WKL) method of metadata import, see [SAML2meta] section 4.1 "Publication and Resolution via Well-Known Location", p.29, for normative description of this method. The Import MUST NOT unintentionally lead to a trust relationship.
Service Provider MUST authenticate the Service Requester according to CR216-EntAn.
Service Provider MUST authenticate itself to the Service Requester according to CR216-EntAn.