Session store on federation partnership


Article ID: 195333


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



We're running a Policy Server and we'd like to know why in a Federation
Partnership HTTP_POST the Session Store is required ?




Policy Server 12.8SP3 on RedHat 7




At first glance, the usage of the Session Store is for security
reason, which means it can work without, but it will leave a security
breach. This will allow to "verifies that the assertion is only used
one time" :

  HTTP-POST single use policy (SAML 2.0 and WS-Federation)

    The single use policy feature prevents assertions from being reused at
    the relying party to establish a second session. The relying party
    stores time-based data about the assertion, which is known as expiry
    data, in its session store. Expiry data verifies that the assertion is
    only used one time.

    A session store is required at the relying party, but a persistent
    session is not required.

So in the Session Store, the time-based data will be inserted and
verified to prevent the re-use of the same data.