The concern of eGov WG is that standards are not referenced in appropriate detail. OIDC is references with 13 documents, whereas SAML with just one, plus one specialized profile (STORK).
It would be useful to reference a standard in a schema that is aware of a hierarchy of stack, use case and profile.
SAML 2.0/Web SSO Use Case/Saml2int profile
WS-*/WS-Federation (no profile)
OAUTH2/Web-Application Flow (no profile)
The reference of specific documents might be less useful in the context of this document, unless a document references a single standard and a single use case.
(unrelated typo: change LDIFF to LDIF)
Existing text: “There is a SAML construct for sending identity information (SAML assertions about an identity from a trusted third party will result in creation the identity). Namespaces are present in SAML attributes.”
Proposed text: “SAML-2.0 core specifies SAML assertions that are a generic data structure about an identity from a trusted third party. SAML Assertions are used in different protocols and use cases like SAML WebSSO, WS-Trust, SCIM and OIDC. There are options for confirmation methods for clients holding key material, passive clients that can safely redirect http-requests between servers (a.k.a. web browsers), and clients acting via trusted gateways.”
Additionally identified gap:
Deployment issue: Middleware containers need to have a high degree of interoperability. Standards may not life up to that expectation and might need profiling.
The statement „If an EU/EEA public authority is using federation, use of STORK is a requirement.“ is too wide, because the EU’s mandate is just citizen eID interoperability, anything else is on a voluntary basis. Also it could be implied that the STORK SAML profile is mandatory on the national side, which is not the case. Therefore the suggested phrasing is:
“If an EU/EEA public authority is using cross-border federation, use of STORK between national gateways (“PEPS”) is a requirement.”