== Non-trivial settings ==
* === Security ===SAML Single Logout Profile requires the logout requests and responses to be signed or otherwise integrity protected. Without this, a user session could be DOS-ed knowing the NameID. Signing messages is quite common for front-channel messages but is normally unnecessary for back-channel, as the transport is usually secured by using certificates in the metadata. However, for back-channel logout it is the IdP who initiates the HTTP connection to the SP , and it is the '''webserver''', who answers the request. Because of the different needs, the webserver almost always uses a different certificate(a well-known server certificate) than the SP (possibly self-signed, client certificate). '''Therefore the SP must sign back-channel messages to authenticate itself to the IdP.'''{{INFO_EN|Signing can be turned on by specifying the '''<code>signing="true"</code>''' property of the <code>ApplicationDefaults</code> or <code>ApplicationOverride</code> element in shibboleth2.xml.** Sign This is required for back-channel logout to work. Unfortunately, this enables signing all (transport protected) messagesas well, which might affect performance. }}=== Session lifetime ===
* SessionNotOnOrAfter
== Required changes in IdP API ==
=== Name identifier caching in IdP session ===