- Standardized attribute release requirements for participant IdPs (could get tricky with applications that don't want attributes, for example library/publisher SPs)
- NOTE: This requirement needs to be better defined: Dealing with FERPA suppression of attributes for graduate students participating in research projects
- Prevent vendors from charging fees for use of SAML in a multilateral federation context
- NOTE: This requirement needs to be better defined: "Lack of framework/contract terms; change controls, support escalation"
- Publication of security contact information for incident response (requirement for support for SIRTFI)
Other work to be done:
- Browser cookie handling improvements needed and/or token binding needed (support for removing sessions at logout time, Safari's new problematic anti-tracking-cookie behavior)
Additional advice for service providers