SessionCache and Session Recovery

Cantor, Scott cantor.2 at
Mon Jun 27 19:17:12 UTC 2022

On 6/26/22, 2:28 PM, "users on behalf of Shu Gao via users" <users-bounces at on behalf of users at> wrote:

>    We have 2 types of clients using SSO login to access our Shibboleth SP, one is web based, the other one is
> using a script written in Python.

That's not supported, except for the ECP endpoint. If you want to screen scrape, you are on your own.

> After we upgraded SPv2 to SPv3, the Python client stopped working.

That is exactly why it's not supported. You will never make that work other than coincidentally and sporadically, and you shouldn't try. That is not the proper solution to whatever problem you're trying to solve.

>    1. What could be the possible reason that the Python script is redirected back to IDP even after Shibboleth
> has checked the SAML assertion and is OK with it (at least it appears to be)?

Don't know, don't care. See above. If you want to know, look at the logs, trace cookies, etc. I'm sure it's cookies in some form.

>    2. Do we need to enable "Session recovery" in <SessionCache> to support multiple SP servers?

That depends on the app, but generally you either need a persistent storage back-end, a shared shibd (which won't scale and isn't supported), or the recovery option, or possibly just sticky load balancing.

>    3. The documentation says <SessionCache> can be omitted, result in <StorageService> cache type being
> used. And if it is not omitted, the only implemented 'type' is 'StorageServiceSessionCache'. It sounds to me
> 'StorageServiceSessionCache' is the same as the default <StorageService> cache type? 

That’s the only type ever implemented.

>    4. For session recovery, what values I can use for persistedAttributes?

The local attribute IDs you happen to use in the SP based on the attribute extraction step that takes place.

>    5. Is it right - to use <DataSealer>, I have to remove <StorageService> and use the default values?

No, it's not, that's orthogonal. You can, though likely wouldn't, use a database for storage while still using the cookie feature.

-- Scott

More information about the users mailing list