...
Service Providers must support the direct generation of authentication request messages conforming to the SAML Authentication Request Protocol [SAML Core, 3.4].
Service Providers that want to bypass user-initiated discovery then Service Providers SHOULD support this profile http://docs.oasis-open.org/security/saml/Post2.0/sstc-request-initiation.html
Requiring the use of unsolicited responses (or so called “IdP-initiated SSO requests) is not a substitute for this requirement.
...
Clockskew support
Deployers MUST support at a minimum of three (3) and a maximum of five (5) minutes of clock skew – in either direction -- when interpreting xsd:dateTime values in assertions and enforcing security policies based thereupon.
...
<If the SP does not support the generation of authentication requests, then it is not compliant with this profile. So perhaps the "or if the SP does not support" phrase should be removed?>
String Attribute
...
Value--
Service Providers MUST support the consumption of <saml2:Attribute> elements containing any arbitrary xs:string value in the Name attribute and any arbitrary xs:anyURI value in the NameFormat attribute.
...
<Is this still a best practice?>The SAML binding-specific RelayState feature is typically used to maintain state required to satisfy both of these requirements, the exact detail of which is left to implementations.