The other option might be to skip the checking for assertion expiration at all in AbstractSAML2Handler. But that might have an impact on other login modules.