•… the Identity
Provider and the Service Provider get together and create a business agreement.
•The Identity Provider
tells the Service Provider what kinds of security policies he has, e.g.,
–User passwords are required be at least 8 characters in length and they must contain both upper and lower case letters.
–Users
are required change their password at least once every six months.
•The Service Provider
decides whether the Identity Provider's policies are adequate for his needs.
•The two parties come
to an agreement. Their lawyers may
write up legal documents.
•Thus, when the SAML assertions do
start flying, the Service Provider can
make assumptions about the Identity Provider.