SAML 2.0 Partnership Enhancements

In addition to the highlighted features, the following enhancements are new:

IdP-to-SP partnership features:

Time and IP address restrictions for assertion generation.
Maximum and idle timeout values to control user sessions.
Hash secret for delegated authentication using a query string.
Back channel user name and password as credentials for basic authentication across the back channel.
Setting one time use of assertions.
Reuse of the same assertion session index to the same partner during a given browser session.
Status redirect URLs to override the server errors, invalid requests, and unauthorized access errors
IdP can sign the artifact response messages before returning it to the SP.
IdP can require the SP to sign the artifact resolve message before returning message to the IdP.

SP-to-IdP partnership configuration features:

Time and IP address restrictions for assertion generation.
Maximum and idle timeout values to control user sessions.
Enforce the one time use of assertions.
SP can sign the artifact resolve message before returning it to the IdP.
SP can require the IdP to sign the artifact response message before returning the message.
Validate target URL domains setting to ensure the replying party access to the requested target domain.
Redirect mode to the target application includes the open format cookie as an option.
Remote user provisioning with the open format cookie as an option.
Status redirect URLs to override the server errors, invalid requests, and unauthorized access errors.

For more information on these features, see the Federation Manager Guide.