Session store on federation partnership

book

Article ID: 195333

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Policy Server and we'd like to know why in a Federation
Partnership HTTP_POST the Session Store is required ?

 

Environment

 

Policy Server 12.8SP3 on RedHat 7

 

Resolution

 

At first glance, the usage of the Session Store is for security
reason, which means it can work without, but it will leave a security
breach. This will allow to "verifies that the assertion is only used
one time" :

  HTTP-POST single use policy (SAML 2.0 and WS-Federation)

    The single use policy feature prevents assertions from being reused at
    the relying party to establish a second session. The relying party
    stores time-based data about the assertion, which is known as expiry
    data, in its session store. Expiry data verifies that the assertion is
    only used one time.

    A session store is required at the relying party, but a persistent
    session is not required.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/partnership-federation/federation-features-requiring-the-session-store.html

So in the Session Store, the time-based data will be inserted and
verified to prevent the re-use of the same data.