Shibboleth SP getting progressively slower

Martin Haase Martin.Haase at
Mon Nov 5 10:27:25 EST 2012

Hi Scott,

Am 05.11.2012 14:58, schrieb Cantor, Scott:
> On 11/5/12 8:44 AM, "Martin Haase" <Martin.Haase at> wrote:
>> I'm a bit concerned, because *if* I
>> had an SLO compliant IdP, would there be no real SAML2 SLO of all active
>> sessions belonging to that user?
> If you don't maintain the index, absolutely. I don't understand the
> question otherwise.
Sorry, my fault. What I wanted to say: *if* I maintain the index, shibd
seems to not remove all sessions, but only the one associated with the
current request. Previous sessions are not removed. And the reverse
index for that NameId neither.
You can test this also without load, just log in twice and only call
/Logout for the latter. Then shibd logs a session removal only for the
latter session.
>> Asking the other way round, why would
>> the SP, being unable to find a SLO URL at the IdP in my set-up, keep
>> itself from removing all sessions of the user?
> My recollection is that the reverse index entries are expired based on the
> expiration of the sessions they refer to, so if there's no SAML 2 logout,
No, i *did* configure SAML2 logout, albeit without an IdP capable of this.
> they expire eventually anyway. That won't help you if you're load testing,
> because every time you add a session, it pushes out the expiration.
> It is not designed to accommodate load testing, not at all. It was an
> oversight on my part, but not something I can fix at this point. Not in
> the time I have available anyway.
It's the more-common monitoring, and the customer can perhaps live with
the reverseIndex options you added. I'm just trying to understand what
calling /Logout does and if it actually makes a difference to closing
the browser.


> -- Scott
> --
> To unsubscribe from this list send an email to users-unsubscribe at

Dr. Martin Haase
DAASI International GmbH                   phone:     +49 7071 407109-6
Europaplatz 3                              Fax  :     +49 7071 407109-9
D-72072 Tübingen                           email: Martin.Haase at
Germany                                    Web  :

Directory Applications for Advanced Security and Information Management

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2345 bytes
Desc: S/MIME Kryptografische Unterschrift
Url : 

More information about the users mailing list