2.2.2.2 Authentication Response

The authentication request will be responded with an assertion that satisfies following:

1. MUST contain <sa:AuthnStatement>

2. MUST specify the Level of Authentication as AuthnStatement/AuthnContext/AuthnContextClassRef.

3. MUST use the LoA profile [SAML2LOA] to return LoA to the SP.

4. SHOULD have AudienceRestriction/Audience element referencing the SP.

5. MAY contain <AttributeStatement> detailing user's attributes as relevant to SP and/or requested using AttributeConsumingServiceIndex.

6. SHOULD have an <AttributeStatement> containing a discovery bootstrap (attribute named "urn:liberty:disco:2006-08:DiscoveryEPR" whose value is an endpoint reference) as described in [Disco2] section 4 "Discovery Service ID-WSF EPR conveyed via a Security Token".

7. MAY have additional Attribute Statements conveying other endpoint references. Rather than providing additional EPRs at SSO, using discovery is RECOMMENDED. If additional EPRs are passed, the attributes SHOULD be named "urn:liberty:disco:2006-08:DiscoveryEPR" even if they do not refer to discovery service. The SP, when seeing "urn:liberty:disco:2006-08:DiscoveryEPR" attribute MUST look at the Attribute/AttributeValue/EndpointReference/Metadata/ServiceType element to determine the type of the end point reference. The SP SHOULD consider any attribute whose value is an <a:EndpointReference> to be a bootstrap.