...
Name | Type | Default | Description |
|---|---|---|---|
qualifiedNameIDFormats | Collection<String> | See below | |
signSOAPRequests | Boolean | See below | Whether to sign SOAP logout requests |
clientTLSSOAPRequests | Boolean | See below | Whether to rely on client TLS for SOAP logout requests |
Guidance
The qualifiedNameIDFormats option was added to deal with an interoperability issue involving the matching of SAML <NameID> elements between the values issued by the IdP and values received in <LogoutRequest> messages. The two have to "match", and the IdP was imposing a strict rule that required all the various bits of a <NameID> to be equal, which is the conservative approach, but it relies on SPs not modifying the data they receive unnecessarily.
...
While it is possible to add additional standard Formats to this set, it bears noting that none of them are defined by the standard to be compared in that fashion. They shouldn't even have qualifiers, in fact.
The signing and TLS options pertain to the handling of SOAP-based logout requests, and the defaults are generally appropriate; signing is used when the peer hosts SOAP over a standard TLS port, while client TLS is used when a non-default port is used (for compatibility with older systems).