diff --git a/modules/saml/docs/sp.txt b/modules/saml/docs/sp.txt
index 621193e7bcda9ee7757b5f442608073f865cfb58..f89440bfd6ed6d5a45d1708b58203c29b8972ba9 100644
--- a/modules/saml/docs/sp.txt
+++ b/modules/saml/docs/sp.txt
@@ -9,11 +9,43 @@ Metadata
 
 The metadata for your SP will be available from the federation page on your simpleSAMLphp installation.
 
+Options
+-------
+
+These are options that can be used at runtime to control the authentication.
+All these options override the equivalent option from the configuration.
+
+`saml:AuthnContextClassRef`
+:   The AuthnContextClassRef that will be sent in the login request.
+
+:   *Note*: SAML 2 specific.
+
+
+`saml:ForceAuthn`
+:   Force authentication allows you to force re-authentication of users even if the user has a SSO session at the IdP.
+
+:   *Note*: SAML 2 specific.
+
+`saml:idp`
+:   The entity ID this SP should connect to.
+
+`saml:IsPassive`
+:   IsPassive allows you to enable passive authentication by default for this SP.
+
+:   *Note*: SAML 2 specific.
+
+`saml:NameIDPolicy`
+:   The format of the NameID we request from the IdP.
+    Defaults to the transient format if unspecified.
+
+:   *Note*: SAML 2 specific.
+
+
 
 Examples
 --------
 
-Here we will list some example configurations for this authentication source.
+Here we will list some examples for this authentication source.
 
 ### Minimal
 
@@ -50,6 +82,12 @@ Here we will list some example configurations for this authentication source.
     ),
 
 
+### Requesting passive authentication
+
+$auth = new SimpleSAML_Auth_Simple('default-sp');
+$auth->login(array('saml:IsPassive' => TRUE));
+
+
 Options
 -------
 
diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
index 8a8b58ed39f3a776c25e527d8c441bcfaf0c3fa7..ab3c73b5c379b1ea250f280496f56798befb7d55 100644
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -185,6 +185,27 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 			$ar->setRelayState($state['SimpleSAML_Auth_Default.ReturnURL']);
 		}
 
+		if (isset($state['saml:AuthnContextClassRef'])) {
+			$accr = SimpleSAML_Utilities::arrayize($state['saml:AuthnContextClassRef']);
+			$ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr));
+		}
+
+		if (isset($state['saml:ForceAuthn'])) {
+			$ar->setForceAuthn((bool)$state['saml:ForceAuthn']);
+		}
+
+		if (isset($state['saml:IsPassive'])) {
+			$ar->setIsPassive((bool)$state['saml:IsPassive']);
+		}
+
+		if (isset($state['saml:NameIDPolicy'])) {
+			$ar->setNameIdPolicy(array(
+				'Format' => (string)$state['saml:NameIDPolicy'],
+				'AllowCreate' => TRUE,
+			));
+		}
+
+
 		$id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso', TRUE);
 		$ar->setId($id);
 
@@ -263,12 +284,18 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 		/* We are going to need the authId in order to retrieve this authentication source later. */
 		$state['saml:sp:AuthId'] = $this->authId;
 
-		if ($this->idp === NULL) {
+		$idp = $this->idp;
+
+		if (isset($state['saml:idp'])) {
+			$idp = (string)$state['saml:idp'];
+		}
+
+		if ($idp === NULL) {
 			$this->startDisco($state);
 			assert('FALSE');
 		}
 
-		$this->startSSO($this->idp, $state);
+		$this->startSSO($idp, $state);
 		assert('FALSE');
 	}