...
SHA-2 and TLS: As mentioned in 1.1 , this these rules are inconsistent.
2.2 Scope of SAML
...
3.2 What could this mean for adoption and market acceptance of the eRecognition SAML profile?
a) We recommend improving the harmonization with the Kantara eGov profile that reflects current best practice for cross-enterprise deployments. The cost of deployment for new service providers is a key factor for market acceptance, and compliance with standards helps to drive down these costs. Investments in an optimized standard have a huge ROI in general (cross-industry figure is factor 40). A proof-of-concept for interoperability with a couple of relevant products should be the benchmark.
b) We recommend scrutinizing the design decisions in the eRecognition profile that deviate from other eGov profiles. The NL-specific protocol features should be limited to allow eRecognition the connect to the SAML WebSSO ecosystem as much as possible. These decisions should be well documented to clarify the issues for deployers.
c) We recommend to cooperate with other users in the government and higher education sectors who have experience in large scale deployments. Kantara Initiative and REFEDs are platforms created for this purpose. Other EU MS like Denmark and Finland have substantial experience in this field.
3.3 How is interoperability affected by the choices taken?
There was not enough time for this review to do a detailed gap analysis with other SAML 2.0 eGov deployment profiles. On the level of this initial analysis it would seem that the proposed standard is close to current industry practice.