SP client-side session storage and originating IdP

Wessel, Keith kwessel at illinois.edu
Mon Aug 13 15:03:36 EDT 2018

Thanks, Scott. And the only way to cluster the reverse mappings today is with something like a database or memcache, right? Which defeats the purpose of client-side storage.


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Monday, August 13, 2018 1:56 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: SP client-side session storage and originating IdP

> The docs say that you provide a list of attributes that you want to 
> store in the cookie. I assume these are attribute friendly names as 
> configured in the attribute map.


> I'm wondering what other non-attribute information gets stored in the cookie.
> Specifically, will another clustered SP node know the IdP that 
> generated the assertion to be able to initiate a federated logout?

Yes, but inbound logout won't work reliably if the reverse mappings aren't clustered, which defeats the purpose in most cases so logout will be more unreliable than it already is.

-- Scott

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list