(Obviously still draft at this point)
(Mostly expected for inclusion in saml2int, but may require additional review)
SP-Initiated SSO
Service Providers must support the direct generation of authentication request messages conforming to the SAML Authentication Request Protocol [SAML Core, 3.4].
...
Deployers MUST support a minimum of three (3) and a maximum of five (5) minutes of clock skew – in either direction -- when interpreting xsd:dateTime values in assertions and enforcing security policies based thereupon.
The following is a non-exhaustive list of items to which this directive applies: NotBefore, NotOnOrAfter, and validUntil XML attributes found on Conditions, SubjectConfirmationData, LogoutRequest, EntityDescriptor, EntitiesDescriptor, RoleDescriptor, and AffiliationDescriptor elements.
Keys in metadata
Public keys used for encryption and signature verification SHOULD be communicated using long-lived, unexpired, self-signed certificates.
...
Authentication Context requests
An SP that requires only accepts specific authncontextclassref AuthnContextClassRef value(s) in assertions MUST specify those allowable values in the RequestedAuthnContext element of authnrequests AuthnRequests it generates. Conversely, if
If an SP does not specify RequestedAuthnContext values in authnrequests it generates, then the SP MUST NOT restrict allowable authcontextclassref values in IdP assertionsrequire specific AuthnContextClassRef value(s) in assertions MUST NOT include any RequestedAuthnContext elements in AuthnRequests it generates.
Issue: 17
String Attribute Value
...