The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.


The <ResultCache> element specifies the manner in which results may be cached for subsequent lookups.

Known Security Issue

The <ResultCache> element in IdP versions before 3.3.0 has a serious security issue when used in conjunction with the LDAP connector, as described in security advisory 20161027. If you are using a vulnerable version of the IdP then you should not use this element in new deployments, and you should remove it from existing deployments.

The <ResultCache> element can be used safely with LDAP starting with IdP version 3.3.0.

Schema Name and Location

This element is defined in the urn:mace:shibboleth:2.0:resolver namespace, the schema for which is located at


<ResultCache maximumCachedElements="100"/>

Configuration Reference


The <ResultCache> element has two optional attributes:




Integer500                  Maximum number of entries the cache may contain

expireAfterAccess 3.4

DurationPT4HDuration since last use after which any entry will be removed from the cache. The duration is reset on each access.

expireAfterWrite 3.4

Duration after which any entry will be removed from the cache. The duration is from first use.


DurationDeprecated 3.4Duration, since last use, after which any entry will be removed from the cache
Deprecated as of V3.4, use the more precisely-named expireAfterAccess

Child Elements

No child elements are defined.


The caching specified by the <ResultCache> element can instead be defined by specifying a <ResultCacheBean> element on the data connector, which allows for complete replacement of cache result handling.