The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.


The <SessionCache> element configures the plugin used for the caching of user sessions. The cache manages access to attributes, session metadata, and SAML assertions, and enforces session timeout policy.

On Version 2.4 and above, this element can be omitted, resulting in the "StorageService" cache being used, on top of the default StorageService, with other options defaulted.

Common Attributes

  • type (string)
    • Name of plugin type.
  • cacheAllowance (time in seconds) (defaults to 0) (Version 2.4 and Above)
    • Adds the time specified to a session's application-derived timeout setting to determine the amount of extra time, if any, to leave an expired session in the cache.
  • cacheTimeout (deprecated) (time in seconds) (defaults to 0 on 2.4+, 28800 on earlier versions)
    • Deprecated in favor of the cacheAllowance setting. Period of inactivity after which unused sessions can be deleted from the cache. Should be set to a value at least as large as the largest timeout defined in the <Sessions> element of an Application, so that sessions don't disappear prematurely.
  • maintainReverseIndex (boolean) (defaults to true) (Version 2.5 and Above)
    • When false, disables the ability to reverse map from a SAML Name Identifier to the session(s) associated with it. This is required for SAML logout, but is unused otherwise, so can be disabled to improve performance or prevent problems when load testing or monitoring with a fixed identifier.
  • excludeReverseIndex (list of strings) (Version 2.5 and Above)
    • Supplies a list of Name Identifier values to exclude from the reverse mapping of identifiers to sessions. Useful to maintain logout support, but exclude identifiers used in load testing or monitoring.

StorageService SessionCache

Identified by type="StorageService", stores data using a previously-defined <StorageService> plugin. Includes a hybrid design that detects in-process vs. out-of-process use and buffers frequently-used sessions inside the web server to minimize repeated transfers of data across the process boundary. Memory use can be tuned.

<SessionCache type="StorageService" StorageService="db" cacheAllowance="3600" inprocTimeout="900" cleanupInterval="900"/>


  • StorageService (XML IDREF)
    • Reference to the id attribute of a previously defined <StorageService> element. If omitted, an arbitrary/default instance will be selected.
  • cleanupInterval (time in seconds) (defaults to 900)
    • Interval in seconds between background cleanup of in-process second-level cache.
  • inprocTimeout (time in seconds) (defaults to 900)
    • Period of inactivity after which unused sessions can be deleted from the in-process second-level cache. Set to a higher value to increase performance and memory usage, or a lower value to decrease memory usage and performance. This setting only adjusts performance trade-offs and does not cause any sessions to be purged from underlying cache storage.
  • cacheAssertions (boolean) (defaults to true) (Version 2.4 and Above)
    • Determines whether to store copies of SAML assertion(s) supplied during the creation of the session. Can be turned off to save memory and improve performance of cache.
  • inboundHeader (string) (Version 2.4 and Above)
    • If set, the cache will look for the session key in the specified HTTP request header in addition to a Cookie header.
  • outboundHeader (string) (Version 2.4 and Above)
    • If set, the cache will return a created session key in the specified HTTP response header in addition to a Set-Cookie header.