...
- What matching rules are recommended, or acceptable?
- Some SPs may not be able to use the AuthnRequest mechanism due to software or other limitations. Are they out of luck?
- How is this configured using the Shib SP? simpleSAML SP?
- Boarding process: how does an SP determine that an IdP supports assurance operationally (ala attribute support)? The IAQ in metadata just states certification, not live service.
SPs will receive IAQs (either in response to a request, or sent unsolicited) in assertions from IdPs. SPs should use metadata for the relevant IdPs to check that they are certified to assert the IAQs they're asserting.
...
- What matching rules are supported?
- Is it possible for the IdP to return multiple IAQs?
No, not using the AuthnContext element. - How does the Shib (or SSP) IdP interact with local IdM? Is a custom login handler required?
...