Federation Security Services Guide › Storing User Session, Assertion, and Expiry Data

Storing User Session, Assertion, and Expiry Data

This section contains the following topics:

Federation Data Stored in the Session Store

Enable the Session Store

Environments that Require a Shared Session Store

Federation Data Stored in the Session Store

The session store stores data for the following federation features:

• HTTP-Artifact single sign-on (SAML 1.x or 2.x)

  A SAML assertion and the associated artifact are generated at the asserting party. The artifact identifies the generated assertion. The asserting party returns the artifact to the relying party. The relying party uses the artifact to retrieve the assertion, which the asserting party stores in the session store.

  A persistent session is required for this process to work.

  Note: The SAML POST profile does not store assertions in the session store.

• HTTP-POST single use policy (SAML 2.0 and WS-Federation)

  The single use policy feature prevents assertions (POST binding) from being reused at the relying party to establish a second session. The relying party stores time-based data about the assertion, which is known as expiry data, in its session store. Expiry data helps ensure that the assertion is only used one time.

  A session store is required at the relying party, but a persistent session is not required.

• Authentication Session Variables Persistence (SAML 1.x and SAML 2.0)

  You can select the option Persist Authentication Session Variables when configuring federation at a relying party. This option instructs the Policy Server to save authentication context data in the session store as session variables. The Policy Server has access to these variables for use in authentication decisions.

• Assertion Attributes Persistence (all profiles)

  You can select Persist Attributes as a redirect mode at the relying party. The redirect mode determines how a user is redirected to the target application. The Persist Attributes mode instructs the Policy Server to store attributes that are extracted from an assertion in the session store. The attributes can then be supplied as HTTP header variables.

• Single logout (SAML 2.0)

  If single logout is enabled, either partner can stores information about the user session. The session information is kept in the session store. When a single logout request is completed, the session information for the user is removed, invalidating the session.

  A persistent session is required at the Identity Provider and Service Provider.

• Sign-out (WS-Federation)

  If sign-out is enabled, user context information is placed in the session store. This information enables the software to generate a sign-out request. When a sign-out request is completed, the session information for the user is removed, invalidating the user session.

  A persistent session is required at the Account Partner and Resource Partner.