Federation Security Services Guide › Storing User Session, Assertion, and Expiry Data › Enable the Session Store

Enable the Session Store

Enable the session store to store data when using SAML artifact single sign-on, single logout, WS-Federation sign-out, and a single use policy.

Enable the session store from the Policy Server Management Console.

The session server database is where the Policy Server Session Server stores persistent session data.

To configure a database for the session server

1. Select Session Server from the Database drop-down list.
2. Select an available storage type from the Storage drop-down list.
3. Set the Enable Session Server option.

   If you are going to use persistent sessions in one or more realms, enable the Session Server. When enabled, the Session Server impacts Policy Server performance.

   Note: The Use Policy Store database option is disabled. For performance reasons, the session server cannot be run on the same database as the policy store.

4. Specify Storage Options appropriate for the chosen storage type.
5. Click OK to save the settings and exit the Console.
6. Stop and restart the Policy Server.

Environments that Require a Shared Session Store

The following SiteMinder features require a shared session store to store SAML assertions and user session information.

To implement these features across a clustered Policy Server environment, set up the environment as follows:

• Configure the login realm for persistent sessions for all features except for an HTTP-POST single use policy.

  Persistent sessions are part of the realm configuration.

• For HTTP-Artifact single sign-on, share the session store at the Producer/Identity Provider site across all Policy Servers in the cluster.

  Sharing the session store verifies that all Policy Servers have access to assertions when each one receives a request for an assertion.

• For SAML 2.0 single logout and WS-Federation signout, share the session store at the asserting and relying party across all Policy Servers in the cluster.

  Sharing the session store verifies that all Policy Servers have access to user session data when each one receives a request for a session logout.

• For the HTTP-POST and WS-Federation single use policy feature, share the session store at the relying party across all Policy Servers in the cluster.

All Policy Servers that generate or consume assertions or process a persistent SMSESSION cookie must be able to contact the common session store. For example, a user logs in to example.com and gets a persistent session cookie for that domain. Every Policy Server that is handling requests for example.com must be able to verify that the session is still valid.

The following illustration shows a Policy Server cluster communicating with one session store:

To share a session store, use one of the following methods:

• Point all Policy Servers to one session store

  In the Policy Server Management Console, configure the Policy Server to use the designated session store.

• Replicate the session store across many session stores.

  For instructions on replicating a database, use the documentation for your database.