Versions Compared

Old Version 13

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 14

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Tip

Note that the session cache is not where you configure timeout policy, because that may be determined on an application-specific basis. So that's actually set via the <Sessions> element within the application configuration section(s) of the file.

...

The feature is enabled by supplying a list of attributes to save and transfer between nodes using the persistedAttributes setting. The feature also requires that a <DataSealer> element be defined in the configuration. This supplies the key(s) used to encrypt and decrypt the cookies, and the security of the SP as a whole is severely compromised if those key(s) are compromised. Revoking them is however a simple matter of deleting or editing a file.

...

A number of them are a shotgun approach to dealing with a fairly obscure but serious problem that arises when an SP is monitored or performance-tested via a service account that causes an IdP to issue it assertions with a fixed Name Identifier value. This causes problems with the reverse mapping index that the cache needs in order to support SAML logout, so various settings can be used to limit the impact of this practice without a total redesign of the software to handle it.

Name

Type

Default

Description

type

string

StorageService

Specifies the type of Session Cache plugin to use.

cacheAllowance 

cacheAllowance 

seconds

0

Adds the time specified to a session's application-derived timeout setting to determine the amount of extra time, if any, to leave an expired session in the cache (this is basically "slop" time to make logout more reliable).

If timeouts are disabled in a given case, then this setting still applies, so may also act as a lower bound on the practical lifetime of sessions in the cache. If both timeouts and this setting are zeroed, then the lifetime is itself the only bound on the session's expiration from the cache.

maintainReverseIndex 

maintainReverseIndex 

boolean

true

When false, disables the ability to reverse map from a SAML Name Identifier to the associated session(s). This is required for SAML logout, but is unused otherwise, so can be disabled to improve performance.

reverseIndexMaxSize

integer

0

Limits the number of sessions tracked by the reverse index for a given identifier, or no limit by default.

excludeReverseIndex  3

excludeReverseIndex 

whitespace-delimited list of strings


Supplies a list of Name Identifier values to exclude from the reverse mapping of identifiers to sessions. Useful to maintain logout support, but exclude identifiers used in load testing or monitoring.

persistedAttributes

whitespace-delimited list of strings


Enables support for a new feature in V3, a session recovery capability that allows sessions to cross server nodes by saving important data to an encrypted cookie and reconstituting the session as needed. This is described above.

unreliableNetworks

unreliableNetworks 3.1

whitespace-delimited list of CIDR masks


This is a modifier that loosens the comparison performed by the session cache when the <Sessions> element's consistentAddress setting is "true". It permits session use if both the bound address in the session and the client's current address both live within a particular network as defined by one of the values in the list.

Common Child Elements

None