Shibboleth SP getting progressively slower

Cantor, Scott cantor.2 at
Mon Nov 5 08:58:47 EST 2012

On 11/5/12 8:44 AM, "Martin Haase" <Martin.Haase at> wrote:
> I'm a bit concerned, because *if* I
>had an SLO compliant IdP, would there be no real SAML2 SLO of all active
>sessions belonging to that user?

If you don't maintain the index, absolutely. I don't understand the
question otherwise.

> Asking the other way round, why would
>the SP, being unable to find a SLO URL at the IdP in my set-up, keep
>itself from removing all sessions of the user?

My recollection is that the reverse index entries are expired based on the
expiration of the sessions they refer to, so if there's no SAML 2 logout,
they expire eventually anyway. That won't help you if you're load testing,
because every time you add a session, it pushes out the expiration.

It is not designed to accommodate load testing, not at all. It was an
oversight on my part, but not something I can fix at this point. Not in
the time I have available anyway.

-- Scott

More information about the users mailing list