The following list of requirements has stabilized over the last several months. Comments are welcome
- Support for user self-registration
- User registration incorporated into sign-in flow, so new user is not stranded at IdP
- User registers once for sign-in to multiple Research and Scholarship (R&S)-tagged SPs (i.e., user identity is not SP-specific)
- Once user has authenticated at the IdP, user is not prompted for password again when visiting other SPs during the same browser session, unless required by the SP
- IdP must support the R&S entity category and be tagged as such
- Ability to Assign/Assert ePPN; values must not be reassigned
- Ability to Assign/Assert ePTIDs
- Must address the service longevity issue (even if for now the response is "TBD")
- Support for SAML Enhanced Client or Proxy (ECP)
- Support for Multiple AuthN Contexts for MFA and Assurance
- This is for their InCommon Bronze, as well as Silver and MFA, if supported.
- Support for Recommended Technical Basics for IdPs
- Conforms to the 'Interoperable SAML 2.0 Web Browser SSO Deployment Profile' as documented at http://saml2int.org
- Self-assertion of InCommon Bronze compliance
- No commercial interest in the use of user data
- IdP must be available globally to any R&S tagged SP
- NOTE: This can only be achieved at the federation level, not unilaterally by an IdP
- Available to users throughout the world (perhaps with invitation from "approved" projects)
The following criteria are highly desirable, but not required.
- Publishes aggregate usage statistics to give feedback to campus IT on use by their constituency (i.e., motivate campus to participate in R&S so the campus users don't need the IdPoLR anymore)
- Support for user consent
- Support for Silver credentials and authN (to be combined with local identity vetting to achieve Silver LoA
- Low/no cost to SPs for use
- No cost for users
- Accepts non-ASCII characters (e.g. uses UTF-8 as the default encoding) in user-entered data
- Support for some form of multi-factor authentication