[Prev]

2.2.2.1 Authentication Request

  1. MUST use NameIDPolicy/@Format of Persistent ("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent") when implementing Pull Model (Req. D1.2-7.8-NoColl).

  2. MUST use NameIDPolicy/@Format of Transient ("urn:oasis:names:tc:SAML:2.0:nameid-format:transient") when implementing Linking Service model.

  3. MUST set NameIDPolicy/@SPNameQualifier

  4. MUST set NameIDPolicy/@AllowCreate flag at all times true

  5. SHOULD not set IsPassive flag (in some cases there may be justified reasons to do otherwise)

  6. MUST use AssertionConsumerServiceIndex

  7. MUST NOT use ProtocolBinding or AssertionConsumerServiceURL

  8. Step-up authentication, using Authentication Context Class References MUST be supported.

  9. SHOULD use AttributeConsumingServiceIndex attribute, which refers to a section of the metadata, as way of selecting the attributes that are returned in the authentication response. Reader should be aware that new proposals for solving this issue more dynamically have been submitted to OASIS Security Services Technical Committee, e.g. [Kellomaki08]. It should also be noted that the returned attributes are always at discretion of the IdP.

[Prev | Next]