...
- Use of the SAML 2 ECP profile ("Enhanced Client or Proxy") that specifies how service to do service SAML flows.
- Use of standard SAML assertion attributes to constrain the use of a proxy token.
A visio of the above is available, in case you'd like to play!
Next steps
~cantor.2@osu.edu will draft initial specs for IdP enhancements needed to (1) support ECP and (2) add support for expressing policy that constrains delegation of proxy tokens.
...