only discover new users when they first sign in! • It uses XML (yuk)! • System clocks of SPs and IdPs have to match within a defined time range (~2 sec) to protect against replay attacks! • You can encode attributes in the SAML package to send from the IdP to the SP