IdP Clustering and CAS

Peter Schober peter.schober at
Fri May 30 07:01:34 EDT 2014

Just to expand one item a bit from what Michal said:

* Michael A Grady <mgrady at> [2014-05-29 01:29]:
>  - if you need to still support SAMLv1 SPs, and thus want to support
>  attribute queries (back channel), then use stateless clustering
>  with the CryptoTransientId.

"Thus" suggests a logical or factual dependency on attribute queries,
but I have yet to see a SAML1-only SP that does not support attributes
pushed during SSO as well. So from my experience you can have
SAML1-only SPs and still avoid attribute queries -- provided exposing
attributes to the web browser is acceptable.
In our case those SAML1-only SPs were all commercial library services
and those only get the lib-common-terms attribute, exposure of which
to the browser is not an issue.
We're not expecting any more/new SPs which are SAML1-only and the
SAML1-only ones are getting fewer with time ever so slowly.

More information about the users mailing list