When running a Policy Server, on a given User Directory, when
configured attributes mapping as :
One might like to know if Policy Server calculates each time when
these are requested ? Or are they only calculated when used in
Response or SAML assertion ?
At first glance, an attribute value is calculated and retrieved from
the LDAP Server once a request needs it. This will happen to identify
the user and to verify the user credentials. And on a Response, it
will be also calculated. Note that on Response, you can cache the
value to avoid the Policy Server to calculate it again for an interval
of time (1)(2).
So for Response, you can configure if the attribute found will be
cached or re-calculate depending a given time in seconds (3).
Use Authentication Guidelines to Estimate Directory Searches
(Required) Two searches to authenticate each user:
- One search/query, per store, to identify the user
- One search/query to verify the user credentials
(Optional) Additional searches may be required depending on how you
design policies and if you decide to enable Password Services:
- One search/query for each policy that is bound to a response
that returns user attributes.
SM_USERGROUPS and webagents
For SAML Assertion, attributes are cached in the Session Store :
Supply SAML Attributes as HTTP Headers
If the authentication scheme redirect mode parameter is set to
PersistAttributes, the Policy Server caches the attributes in the
session store as session variables.
The Policy Server retrieves the attributes by a configured response.