...
The group originally added an item to the revised SAML2int that they later felt was advice, not a profile requirement. The item stated that a service provider that requests forced reauthentication should verify that forced reauthentication was performed. While this is a very wise thing to do, it's not firm enough to be required by a profile. Further, it suggests other items that SPs should do. Other items include: verify requested authentication context was satisfied, synchronize server clocks using NTP, and check for attributes in a SAML response rather than granting access based solely on the presence of a successful response. There are certainly others, and these lend themselves to an advanced topics write-up for SP on-boarding. The group recommends that InCommon explore other topics to be addressed in such a write-up and add it to the work of the SP on-boarding working group.
...
The working group recommends that InCommon establish automated tests for requirements where possible. Obviously, many of the requirements can't be tested, but there's benefit to testing and notifying contacts for lack of compliance with those requirements that can be tested.
The SAML 2.0 standard has had a number of errata filed since it's creation along with a number of suggestions placed in the SSTC-Jira backlog. The working group recommends that InCommon directs the OASIS SSTC to compile these changes and additions into the creation of SAML 2.1.
Finally, the working group recommends some well-planned marketing and incentives to help InCommon participants achieve compliance. This could involve adding items to Baseline Expectations as noted above, but it also could include a badge or signaling in metadata. As with SIRTFI, metadata signaling could be self-asserted. InCommon might also want to consider a Baseline+ certification; participants who don't meet the extra requirements won't be removed from the federation, but those who do will receive additional benefits. Adherence to many items in this profile might fall into that category.