Previous Topic: Setup the SAML 1.x Assertion Generator FileNext Topic: Securing a Federated Environment


Storing User Session, Assertion, and Expiry Data

This section contains the following topics:

Federation Data Stored in the Session Store

Enable the Session Store

Environments that Require a Shared Session Store

Federation Data Stored in the Session Store

The session store stores data for the following federation features:

Enable the Session Store

Enable the session store to store data when using SAML artifact single sign-on, single logout, WS-Federation sign-out, and a single use policy.

The session server database is where the Policy Server Session Server stores persistent session data.

Enable the session store from the Policy Server Management Console.

Follow these steps:

  1. Log in to the Policy Server Management Console.
  2. Select the Data tab.
  3. Select Session Store from the drop-down list in the Database field.
  4. Select an available storage type from the drop-down list in the Storage field.
  5. Select the Session Store enabled check box.

    If you are going to use persistent sessions in one or more realms, enable the Session Server. When enabled, the Session Server impacts Policy Server performance.

    Note: For performance reasons, the session server cannot be run on the same database as the policy store. Therefore, the option to use the policy store database is disabled.

  6. Specify Data Source Information appropriate for the chosen storage type.
  7. Click OK to save the settings and exit the Console.
  8. Stop and restart the Policy Server.

Environments that Require a Shared Session Store

The following CA SiteMinder® features require a shared session store to store SAML assertions and user session information.

To implement these features across a clustered Policy Server environment, set up the environment as follows:

All Policy Servers that generate or consume assertions or process a persistent SMSESSION cookie must be able to contact the common session store. For example, a user logs in to example.com and gets a persistent session cookie for that domain. Every Policy Server that is handling requests for example.com must be able to verify that the session is still valid.

The following illustration shows a Policy Server cluster communicating with one session store:

Graphic showing a shared session server

To share a session store, use one of the following methods: