HttpSession Timeout - Return to Service Provider

Zmuda, Matthew R Matthew.R.Zmuda at
Wed Nov 2 13:31:33 GMT 2011

Ok I think I see what your saying.
Good to know that HttpSession expiring does not effect Shib.

So would it be fair to say if I can get a LoginContext via HttpServletHelper.getLoginContext in my application that I have succesfully decoded the request and am talking to an SP?

-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On Behalf Of Chad La Joie
Sent: Tuesday, November 01, 2011 4:10 PM
To: Shib Users
Subject: Re: HttpSession Timeout - Return to Service Provider

On Tue, Nov 1, 2011 at 14:06, Zmuda, Matthew R <Matthew.R.Zmuda at> wrote:
> Hmm.. so what do I need to have to be able to get back to SP with some response? I though Shibboleth stored data in HttpSession. So when HttpSession is invalidated I lose this data and can no longer get back to SP. Is that not true?

No, the IdP does not use the HttpSession.

> The underlying issue I might be having may be on my end.
> Right now when I do some custom decoding via extention of org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder I put the SAMLMessageContext into HttpSession:
> httpRequest.getSession(true).setAttribute("MySAMLCxt", samlMsgCtx);
> And I use this in my application to flag that the authentication I am doing is for a SP. I'm doing this because I thought Sibboleth also put things in HttpSession. When invalidated I'm left with nothing and no way back to SP.

Again, no, Shib has nothing to do with the HttpSession.

> Is there another way in my IDP application I can tell that I am handling a SP AuthNRequest that does not involve HttpSession and allows me to go back to SP even if HttpSession expires?

I still don't understand what you're asking.  The fact that you got a
request and decoded it means, by definition, you're talking to an SP.

Are you trying to disable SSO support?  Why do you care if the user's
IdP session has expired and they need to authenticate again vs. being
signed-in automatically because they have an IdP session?

Chad La Joie
trusted identities, delivered
To unsubscribe from this list send an email to users-unsubscribe at

NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to for instructions.
AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière d'aller au pour des instructions.

More information about the users mailing list