| issuer-entity-id | string | required | | The SAML Entity Id that the authenticator uses when communicating with the remote SAML IDP. |
| clock-skew | uint32 | optional | 60 | The allowed clock-skew in seconds when validating the inbound response message |
| include-subject-with-requested-authn-context | boolean | optional | false | If there is a previously authenticated subject, pass the subject in the AuthnRequest to the SAML Identity Provider. |
| force-authn | enumeration | optional | | Setting controlling sending of ForceAuthn=true parameter. By default, it is not sent; this overrules the forceAuthN parameter of the request or the configuration of forced re-authentication on a client. |
| idp-entity-id | string | required | | The SAML Entity Id of the remote SAML IDP |
| idp-url | string | required | | The target IDP URL where SAML Authentication Requests are delivered to. |
| acs-url-override | string | optional | | The Assertion Consumer Service URL as configured on the IdP - the IdP will send the SAML authentication response to this URL. This setting doesn’t change the real ACS URL of this authenticator. Authorization responses have to be relayed to the real ACS URL of this authenticator. |
| signature-verification-key | leafref | optional | | The key to verify the signature of received SAML Response messages. When no key is configured and signed SAML messages are received, then the messages will be rejected. |
| secondary-signature-verification-key | leafref | optional | | The secondary key to verify the signature of received SAML Response messages. This key is only used when verification using the signature-verification-key fails. |
| wants-response-signed | boolean | optional | false | Indicate whether the received SAML Response message must be signed. |
| wants-assertion-signed | boolean | optional | true | Indicate whether the received Assertion must be signed. |
| request-signing-key | leafref | optional | | Optional reference to the signing key that is used to sign outbound SAML AuthnRequest messages. If not configured, signing AuthnRequests is disabled. |
| request-binding | enumeration | optional | redirect | The binding to use to send the SAML AuthnRequest message to the IDP |
| assertion-decryption-key | leafref | optional | | The key to decrypt encrypted assertions from the SAML Response. When this is set, an encrypted assertion is required. |