...
- includeAttributeStatement - a boolean flag indicating whether to include an attribute statement in addition to the authentication statement, defaults to true
- outboundArtifactType - Default artifact type used when sending responses via artifact, defaults to 4
- assertionLifetime - The lifetime, in milliseconds, for issued assertions, defaults to 300000 (5 minutes)
- localityAddress - IP address to use in the authentication statement's
SubjectLocality
element, defaults to the IP address of the client - localityDNSName - DNS name to use in the authentication statements
SubjectLocality
element - assertionProxyCount - A non-negative integer used to populate the
Count
attribute in the assertion'sProxyRestriction
element, defaults to 0 - includeConditionsNotBefore - (V2.4.0+) Include a
NotBefore
timestamp in the assertions' validity conditions, defaults to true - signResponses - see Configuring XML Signature and Encryption
- signAssertions - see Configuring XML Signature and Encryption
- signRequests - see Configuring XML Signature and Encryption
- encryptAssertions - see Configuring XML Signature and Encryption
- encryptNameIds - see Configuring XML Signature and Encryption
In addition, the SAML 2 ECP profile configuration element supports two child elements.Audience
<Audience>
, whose content is used to populate the
...
-
<Audience>
elements of
...
- <
AudienceRestriction>
element. This element may appear any number of times, one for each audience.
...
<ProxyAudience>
, whose content is used to populate the
...
- <
Audience>
elements of the <ProxyRestriction
> condition element. This element may appear any number of times, one for each audience.
Metadata
Because this profile requires server/container configuration above and beyond the normal IdP install process the install-time metadata generator will generate metadata with the ECP endpoint commented out. If you are using this profile, you may want to include that endpoint in the production metadata you supply to federations or SPs, although in practice it is only useful if the ECP client code being used happens to support metadata in some way.