...
Options specific to the Shibboleth / SAML 1.1 SSO profile:
Name | Type | Default | Description |
|---|---|---|---|
includeAttributeStatement | Boolean | false | Whether to "push" attributes during SSO |
nameIDFormatPrecedence | List<String> | Ordered list of NameIdentifiers Format(s) to select for use, in the event that a relying party does not signal a preference. |
Guidance
The historical default for the Shibboleth profile of SAML 1.1 was to issue only authentication information through the normal channel and rely on a SOAP back-chanel channel to query for attributes, due to the lack of support for XML Encryption in SAML 1.1.
This a very commonly modified setting The includeAttributeStatement setting is useful because of the gradual deprecation of the use of the back-channel and support for attribute queries. With the very limited use of SAML 1.1, it's usually simpler to forgo supporting queries and simply push attributes for the few legacy systems left, relying on the TLS protections between the client and servers to protect the user's data from passive observation.
...