Page Comparison

maximumSPSessionLifetime

Duration

0

If non-zero, attempts to limit length of session with SP via SessionNotOnOrAfter attribute

skipEndpointValidationWhenSigned

Boolean

false

Whether to skip validation of response location via metadata if the request was signed

nameIDFormatPrecedence

List<String>

Ordered list of NameID Format(s) to select for use, in the event that a relying party does not signal a preference.

ignoreScoping

Boolean

false

Whether to ignore <saml2:Scoping> elements within an SP's AuthnRequest

checkAddress

Boolean

true

Whether to enforce consistency between the client's address and the value within an inbound assertion's <saml2:SubjectLocality> element

proxiedAuthnInstant

Boolean

true

Whether to pass through a proxied AuthnInstant value from an inbound assertion when issuing new assertions based on it (the alternative is to insert a fresh timestamp)

suppressAuthenticatingAuthorities ^4.2

Boolean

false

Whether to prevent the insertion of <AuthenticationAuthority> elements(s) in the event of proxying

maximumTimeSinceAuthn

Duration

Limits the allowable time to accept a proxied authentication assertion based on its AuthnInstant, this is principally used to cross-check use of the ForceAuthn flag

authnContextComparison

"exact", "minimum", "maximum", "better"

see below

Controls the comparison operator used when including <saml2p:RequestedAuthnContext> elements in proxied AuthnRequests

authnContextTranslationStrategy

Function<AuthnContext,Collection<Principal>

see below

Controls bidirectional translation of <saml2:AuthnContext> content when issuing requests and generating assertions to allow for remapping of values across the proxy boundary

authnContextTranslationStrategyEx ^4.

²

Function<ProfileRequestContext,Collection<Principal>

More advanced support for populating <saml2:AuthnContext> content based on arbitrary request state (e.g. use of SAML Attributes from a proxied IdP)