...
| Name | Type | Default | Description |
|---|---|---|---|
| URI | If set, establishes an assumed IdP to use for authentication, if none is passed explicitly with a query string parameter or overridden via content settings. | |
discoveryProtocol | string | Protocol to use for the Discovery Service. Typically either "SAMLDS" (SAML Discovery Service protocol) or "WAYF" (legacy Shibboleth WAYF protocol). | |
discoveryURL | URL | Location of the discovery service, e.g., | |
relayState | string | Overrides relayState setting from the <Sessions> element. | |
entityIDParam | string | Optional, advanced setting for overriding the name of the query string parameter used to override the IdP to use. Normally "entityID" and "providerId" are the parameter names supported. This is provided for supporting unusual application requirements. | |
target | URL | Allows the resources to return to after SSO to be "locked" to a specific value, even when running as a result of active protection of other resources. In other words, this value overrides the actual resource location when SSO redirection is automatic, including initial access and after a timeout. | |
| The following attribute can be specified for SAML1 and SAML2 protocols: | |||
| Name | Type | Default | Description |
isPassive | boolean | false | If true, causes the <samlp:AuthnRequest>'s IsPassive attribute to be "true". Can be overridden by content setting or query string parameter. |
| The following attribute attributes can be specified for the SAML2 protocols: | |||
| Name | Type | Default | Description |
| local pathname | An HTML template used during transmission of the | |
outgoingBindings | space delimited URIs | List of SAML binding identifiers that determines the order of preferred <md:SingleSignOnService> bindings to use for the request. If this setting is used, failing to list a binding will prevent the use of an IdP that only supports the omitted binding | |
acsByIndex | boolean | false | If true, the location of the assertion consumer service to return the assertion to is passed by reference (using an index), rather than passing an explicit URL and binding. Because of the difficulty of ensuring consistent indexing between local configuration and metadata, this is not an advisable feature. |
postArtifact | boolean | false | If true, the SAML artifact binding is implemented using a form POST rather then a redirect. |
forceAuthn | boolean | false | If true, causes the <samlp:AuthnRequest>'s ForceAuthn attribute to be "true". Can be overridden by content setting or query string parameter. This asks for forced reauthentication by the IdP (bypassing SSO). |
authnContextClassRef | space delimited URIs | If set, inserts a <samlp:RequestedAuthnContext> element containing the class reference into the <samlp:AuthnRequest>. This can be a whitespace-delimited list of classes to request. Can be overridden by content setting or query string parameter. This can also be configured on a per-IdP basis via a RelyingParty setting (only applies if a more general value is not supplied). | |
authnContextComparison | one of:"exact" "minimum" "maximum" "better" | "exact" | If set, inserts a <samlp:RequestedAuthnContext> element containing the comparison operator into the <samlp:AuthnRequest>. Can be overridden by content setting or query string parameter. Ignored unless an authnContextClassRef value is set. This can also be configured on a per-IdP basis via a RelyingParty setting (only applies if a more general value is not supplied) |
ECP | boolean | false | If set, enables Enhanced Client/Proxy profile support, causing the SP to recognize the headers sent by an ECP-enabled client and respond with an ECP request instead of a redirect. Note that when this occurs, the IdP need not be known for a request to be generated, unlike in the normal case |
requestDelegation | boolean | false | If set, causes the request to carry a <saml:Conditions> element that includes a <saml:AudienceRestriction> identifying the IdP as a desired relying party for the resulting assertion. This convention is associated with support for delegation, in which the SP can authenticate itself with the assertion as the user in the course of subsequent requests to the IdP. |
NameIDFormat | URI | If set, causes the request to require the IdP to respond with a NameID identifier of the given format. If the IdP can not fulfill this requirement, it will return an error response (if correctly implemented). | |
SPNameQualifier | URI | If set, causes the authentication request to carry a | |
signing | Controls outbound signing of XML messages. See Signing & Encryption | ||
encryption | Controls outbound encryption of XML messages and content. See Signing & Encryption. | ||
externalInput | boolean | true | |
...