In order to do a better SAML replay we need to add options to SAML clients to override the default realm expiration times.
Currently there are three elements that contains time constraints:
1. The SubjectConfirmationData inside the subject:
This is obtained from the realm access token lifespan.
2. The constraints inside the conditions:
This lifespan is got from the realm Access Code Lifespan.
3. The session lifespan:
This value if got from the realm SSO Session Max Lifespan.
Everything is set at the SamlProtocol.java. I think that at least the first two should be added to client to override default values.