Versions Compared

Old Version 17

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version 20

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The IdP provides a number of general-purpose storage facilities that can be used by core subsystems like session management and consent. Broadly speaking, there are two kinds of storage plugins: client-side and server-side. Client-side plugins have the advantage of requiring no additional software or configuration and make clustering very robust and simple, but they only support a subset of use cases. Server-side plugins (aside from the simple case of storing data in memory) support all use cases, but require additional software and configuration, and usually create additional points of failure in a clustered deployment.

You may wish to review the SameSite topic, as it may have implications for your storage options and/or the need to address SameSite based on your chosen options.

The IdP ships with 3 preconfiguredĀ org.opensaml.storage.StorageService beans:

...

Reference

Expand
titleProperties

Property

Type

Default

Description

idp.storage.cleanupInterval

Duration

PT10M

Interval of background thread sweeping server-side storage for expired records

idp.storage.htmlLocalStorage

Boolean

false

Whether to use HTML Local Storage (if available) instead of cookies

idp.storage.clientSessionStorageName

String

shib_idp_session_ss

Name of cookie or HTML storage key used by the default per-session instance of the client storage service

idp.storage.clientPersistentStorageName

String

shib_idp_persistent_ss

Name of cookie or HTML storage key used by the default persistent instance of the client storage service

idp.session.StorageService

Bean ID of a StorageService

shibboleth.ClientSessionStorageService

Storage back-end to use for IdP sessions, authentication results, and optionally tracking of SP usage for logout

idp.consent.StorageService

Bean ID of a StorageService

shibboleth.ClientPersistentStorageService

Storage back-end to use for consent and terms-of-use records

idp.replayCache.StorageService

Bean ID of a StorageService

shibboleth.StorageService

Storage back-end to use for message replay checking (must be server-side)

idp.replayCache.strict

Boolean

true

Whether storage errors during replay checks should be treated as a replay

idp.artifact.StorageService

Bean ID of a StorageService

shibboleth.StorageService

Storage back-end to use for short-lived SAML Artifact mappings (must be server-side)

idp.cas.StorageService

Bean ID of a StorageService

shibboleth.StorageService

Storage back-end to use for CAS ticket mappings (must be server-side)

Expand
titleBeans

The following beans (most of which are internal to the system) can be used in various properties to control what storage instances are used for specific purposes. You can define your own beans also (e.g. in global.xml).

Bean ID

Type

Description

shibboleth.StorageService

MemoryStorageService

Default server-side storage, stores data in memory

shibboleth.ClientSessionStorageService

ClientStorageService

Default client-side storage for per-session data, stores data in session cookies or HTML local storage

shibboleth.ClientPersistentStorageService

ClientStorageService

Default client-side storage for long-lived data, stores data in persistent cookies or HTML local storage

shibboleth.ClientStorageServices

List<StorageService>

Enumeration of ClientStorageService plugins used, ensures proper load/save of data

...

Expand
titleClientStorageService

The ClientStorageService is an advanced, and highly recommended, option that includes support for HTML Local Storage along with cookies as a fallback or alternative.

Local Storage support is enabled by default for new installationsinstallation, but note that there are visual impacts from the use of the feature and it requires JavaScript be enabled, because reading and writing to the client requires an explicit page be rendered. When JavaScript is enabled, the additional page appears quickly as a short-lived interstitial with a message about the loading or saving of the data to the client. In practice, it is has no material impact on the user experience.

Controlling this feature is handled by the idp.storage.htmlLocalStorage property.

No configuration is required, but you may want to change the look and feel of the templates that are displayed to the client while data is being read or written. These pages don't require any user interaction as long as JavaScript is enabled, but they tend to be visible at least briefly, particularly the first time through. They're somewhat similar to the templates displayed when SAML messages are handed off to the browser.

Much of that look is obviously controlled by style sheets and message properties, but the "visible" portions are in views/client-storage (to avoid losing your changes on upgrades).

As to why you would use Local Storage, there are really two main reasons:

  • Logout

  • Consent

The main reason for this feature is to enable the IdP's session manager to track and index the sessions created with SPs, and that information does not fit reliably in a cookie. That makes the single-logout feature unusable with client-side sessions unless Local Storage is enabled, since the IdP doesn't know what SPs to communicate with. Enabling the Local Storage feature is necessary but not sufficient to allow at least some form of single logout to work without moving session storage to the server. You also will need to ensure a couple of additional session management properties (idp.session.trackSPSessions and idp.session.secondaryServiceIndex) are enabled, and they are also on by default in new installs. There are two properties because the latter is more a SAML-specific need that may not extend to other protocols in the future.

The consent feature is very limited when cookies are used because the number of records it can store is extremely small. If Local Storage is available, that limit is essentially ignored. If you're comfortable with tracking consent per-device, this is a much more practical way to deploy it at most sites than with a database. Of course, many deployers are not comfortable with per-device consent, but those same deployers may become a lot more comfortable with it after enough database connection failures due to the nearly universally poor quality of JDBC networking code.

...