...
There is no special configuration for this use case, it's subsumed into supporting Browser SSO for SAML 1 and SAML 2 for a relying party. In the default configuration, both are enabled using the profile configuration beans named "Shibboleth.SSO" and "SAML2.SSO".
There is currently no officially supported simple method of disabling the Unsolicited SSO support for SAML 2 separately from the overall support for SAML 2 SSO. If you need to disable this feature for now, you would need to edit system/conf/webflow-config.xml and remove the flow/endpoint definition, and maintain that change across upgrades, it's possible in V3.3 and above to remap existing profile locations to your own flow definitions; you can inquire on the support list if you want to do this.
Another way you can disable support for this for feature for specific services is by modifying their SAML metadata to include AuthnRequestSigned="true" in theĀ <SPSSODescriptor> element. Doing so causes the IdP to require requests from that SP to be signed, and since this protocol does not allow for signing, it will cause such requests to fail with an error.
...