HttpSession Timeout - Return to Service Provider

Chad La Joie lajoie at
Tue Nov 1 20:10:16 GMT 2011

On Tue, Nov 1, 2011 at 14:06, Zmuda, Matthew R <Matthew.R.Zmuda at> wrote:
> Hmm.. so what do I need to have to be able to get back to SP with some response? I though Shibboleth stored data in HttpSession. So when HttpSession is invalidated I lose this data and can no longer get back to SP. Is that not true?

No, the IdP does not use the HttpSession.

> The underlying issue I might be having may be on my end.
> Right now when I do some custom decoding via extention of org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder I put the SAMLMessageContext into HttpSession:
> httpRequest.getSession(true).setAttribute("MySAMLCxt", samlMsgCtx);
> And I use this in my application to flag that the authentication I am doing is for a SP. I'm doing this because I thought Sibboleth also put things in HttpSession. When invalidated I'm left with nothing and no way back to SP.

Again, no, Shib has nothing to do with the HttpSession.

> Is there another way in my IDP application I can tell that I am handling a SP AuthNRequest that does not involve HttpSession and allows me to go back to SP even if HttpSession expires?

I still don't understand what you're asking.  The fact that you got a
request and decoded it means, by definition, you're talking to an SP.

Are you trying to disable SSO support?  Why do you care if the user's
IdP session has expired and they need to authenticate again vs. being
signed-in automatically because they have an IdP session?

Chad La Joie
trusted identities, delivered

More information about the users mailing list