Profile-Specific

Options specific to the SAML 2.0 Browser SSO profile:

Name	Type	Default	Description
maximumSPSessionLifetime	Duration	0	If non-zero, attempts to limit length of session with SP via `SessionNotOnOrAfter` attribute
skipEndpointValidationWhenSigned	Boolean	false	Whether to skip validation of response location via metadata if the request was signed

Guidance

The skipEndpointValidationWhenSigned option is attractive in many enterprise scenarios if you prefer to maintain some degree of security but avoid registration of metadata containing every individual SP endpoint, which adds a lot of overhead in massively vhosted-environments.

It can also add a degree of insulation from SP changes, but in practice systems that are likely to change endpoint locations but don't support metadata-based change control are likely to misunderstand the need to keep entityIDs stable also.

There are a variety of settings related to delegation that are not shown above but can be found in the relevant API documentation.

Browser not supported