The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.
ProfileConfiguration-SAML2SSO
- Scott Cantor
Profile-Specific
Options specific to the SAML 2.0 Browser SSO profile:
| Name | Type | Default | Description |
|---|---|---|---|
| maximumSPSessionLifetime | Duration | 0 | If non-zero, attempts to limit length of session with SP via SessionNotOnOrAfter attribute |
| skipEndpointValidationWhenSigned | Boolean | false | Whether to skip validation of response location via metadata if the request was signed |
Guidance
The skipEndpointValidationWhenSigned option is attractive in many enterprise scenarios if you prefer to maintain some degree of security but avoid registration of metadata containing every individual SP endpoint, which adds a lot of overhead in massively vhosted-environments.
It can also add a degree of insulation from SP changes, but in practice systems that are likely to change endpoint locations but don't support metadata-based change control are likely to misunderstand the need to keep entityIDs stable also.
There are a variety of settings related to delegation that are not shown above but can be found in the relevant API documentation.