Options specific to the SAML 2.0 Browser SSO profile:
Name / Type | Default | Description |
---|---|---|
maximumSPSessionLifetime Duration | 0 | If non-zero, attempts to limit length of session with SP via |
skipEndpointValidationWhenSigned Boolean | false | Whether to skip validation of response location via metadata if the request was signed |
nameIDFormatPrecedence List<String> | Ordered list of NameID Format(s) to select for use, in the event that a relying party does not signal a preference. | |
ignoreScoping Boolean | false | Whether to ignore |
checkAddress Boolean | true | Whether to enforce consistency between the client's address and the value within an inbound assertion's |
proxiedAuthnInstant Boolean | true | Whether to pass through a proxied |
suppressAuthenticatingAuthorities 4.2 Boolean | false | Whether to prevent the insertion of |
maximumTimeSinceAuthn Duration | Limits the allowable time to accept a proxied authentication assertion based on its | |
authnContextComparison "exact", "minimum", "maximum", "better" | see below | Controls the comparison operator used when including |
authnContextTranslationStrategy | see below | Controls bidirectional translation of |
authnContextTranslationStrategyEx 4. |
2 | More advanced support for populating |
Guidance
The nameIDFormatPrecedence
property is a common way of controlling the type of SAML NameIdentifier / NameID included in a response, a common requirement of many commercial services. It is in fact the only way to force the use of the ill-advised "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
" Format, which it must be noted is very rarely needed, despite frequent mis-documentation to the contrary.
...