We're running a Policy Server and we'd like to know why in a Federation
Partnership HTTP_POST the Session Store is required ?
Policy Server 12.8SP3 on RedHat 7
At first glance, the usage of the Session Store is for security
reason, which means it can work without, but it will leave a security
breach. This will allow to "verifies that the assertion is only used
one time" :
HTTP-POST single use policy (SAML 2.0 and WS-Federation)
The single use policy feature prevents assertions from being reused at
the relying party to establish a second session. The relying party
stores time-based data about the assertion, which is known as expiry
data, in its session store. Expiry data verifies that the assertion is
only used one time.
A session store is required at the relying party, but a persistent
session is not required.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/partnership-federation/federation-features-requiring-the-session-store.html
So in the Session Store, the time-based data will be inserted and
verified to prevent the re-use of the same data.