HttpSession Timeout - Return to Service Provider
Chad La Joie
lajoie at itumi.biz
Tue Nov 1 20:10:16 GMT 2011
On Tue, Nov 1, 2011 at 14:06, Zmuda, Matthew R <Matthew.R.Zmuda at td.com> wrote:
> Hmm.. so what do I need to have to be able to get back to SP with some response? I though Shibboleth stored data in HttpSession. So when HttpSession is invalidated I lose this data and can no longer get back to SP. Is that not true?
No, the IdP does not use the HttpSession.
> The underlying issue I might be having may be on my end.
> Right now when I do some custom decoding via extention of org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder I put the SAMLMessageContext into HttpSession:
> httpRequest.getSession(true).setAttribute("MySAMLCxt", samlMsgCtx);
> And I use this in my application to flag that the authentication I am doing is for a SP. I'm doing this because I thought Sibboleth also put things in HttpSession. When invalidated I'm left with nothing and no way back to SP.
Again, no, Shib has nothing to do with the HttpSession.
> Is there another way in my IDP application I can tell that I am handling a SP AuthNRequest that does not involve HttpSession and allows me to go back to SP even if HttpSession expires?
I still don't understand what you're asking. The fact that you got a
request and decoded it means, by definition, you're talking to an SP.
Are you trying to disable SSO support? Why do you care if the user's
IdP session has expired and they need to authenticate again vs. being
signed-in automatically because they have an IdP session?
Chad La Joie
trusted identities, delivered
More information about the users