|
|
|
Upon successful validation of an assertion, the WS-Federation authentication scheme writes assertion data in the expiry data table with a key of the assertion ID and an expiration time. The Session Server Management thread in the Policy Server deletes expired data from the expiry data table.
If single policy use is enforced, writing assertion data will fail if an entry already exists in the expiry data table with a key of the assertion ID because the assertion has already been used to establish a session. If the scheme cannot write to the table in the session server, the WS-Federation authentication scheme denies the authentication in the same manner as an invalid assertion.
Writing assertion data may fail for other reasons; however, if the single use of the assertion cannot be enforced because the database is unavailable for any reason, then the authentication scheme will deny the request to ensure that assertions cannot be re-used.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |