class Sustainsys.​Saml2.​Configuration.​Compatibility

DisableLogoutStateCookie

Do not send logout state cookie, e.g. if you are not using ReturnUrl or if you know the cookie will be lost due to cross-domain redirects

StrictOwinAuthenticationMode

Honor the owin authentication mode even on logout. Normally the logout handling is always done as if the middleware was active, to allow for simple sign out without specifying an auth type.

IgnoreAuthenticationContextInResponse

Do not read the AuthnContext element in Saml2Response. If you do not need these values to be present as claims in the generated identity, using this option can prevent XML format errors (IDX13102) e.g. when value cannot parse as absolute URI

IgnoreMissingInResponseTo

Ignore the check for the missing InResponseTo attribute in the Saml response. This is different to setting the allowUnsolicitedAuthnResponse as it will only ignore the InResponseTo attribute if there is no relayState. Setting IgnoreMissingInResponseTo to true will always skip the check.

EnableLogoutOverPost

Handling logout requires access to the authenticated user session. If logout is done over the POST binding, the session cookie must have SameSite=None set (which is probably a bad idea). To avoid problems, disable logout over POST in metadata by default.

AcceptUnsignedLogoutResponses

SAML2 Specs says in section 4.4.4.2: "... The responder MUST authenticate itself to the requester and ensure message integrity, either by signing the message or using a binding-specific mechanism." Unfortunately not all IDP seem to follow the specification. Disables requirement for a signed LogoutResponse.