...
- Documented Attribute Release Process
- IdPs SHOULD support the
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
name identifier format and/or theeduPersonTargetedID
attribute- stored or computed? (there are disadvantages with each approach)
- IdPs SHOULD support the
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
encrypted name identifier format (requires Shib IdP 2.3)- since this identifier can be reversed, it is especially useful for security incident response
- Release of "basic" attributes w/o admin involvement (via consent or otherwise)
...