...
Authentication Context requests
An SP that require requires specific authncontextclassref values value(s) in assertions MUST specify those allowable values in the RequestedAuthnContext element of authnrequests it generates. Conversely, if an SP does not specify RequestedAuthnContext values in authnrequests it generates, or if the SP does not support the generation of authentication requests (reference to SP-initiated, above), then the SP MUST NOT restrict allowable authcontextclassref values in IdP assertions.<If the SP does not support the generation of authentication requests, then it is not compliant with this profile. So perhaps the "or if the SP does not support" phrase should be removed?>
Issue: 17
String Attribute Value
...
Service Providers MUST support the consumption of <saml2:Attribute>
elements containing any arbitrary xs:string value in the Name
attribute and any arbitrary xs:anyURI value in the NameFormat
attribute.
...