Turn off SSO login for some contextClassRef URIs

Cantor, Scott cantor.2 at osu.edu
Wed May 20 11:55:59 EDT 2015

On 5/20/15, 3:39 PM, "Stefan Santesson" <stefan at aaa-sec.com> wrote:

>Is the session cache strictly tied to the ClassRef?

The AuthenticationResult objects in the session include the Subject and 
the Subject includes all of the custom Principals attached if they support 
serialization. A Result can be reused for SSO if it meets the requirements 
of a request.

>I still want authenticaiton using ClassRef 1 to allow session to be 
>So if authn is requested with ClassRef 2, then that cache from ClassRef 1
>is not valid.

That happens regardless. No request for exactly Foo can ever be satisfied 
by a Result that only includes Bar. What you said was the opposite, 
preventing a request for Foo from being satisfied by a previous Result 
including Foo. The only way to prevent that is to not store it at all.

>If the caching is separated, then I think your solution would work for me.

I don't know what you mean by separated. If a Result contains both Foo and 
Bar and is stored, then a request for either Foo or Bar can be satisfied 
by it (SSO).

-- Scott

More information about the users mailing list