Shibboleth Developers

[SCOTT CANTOR <>]

> Isn't it possible to use a cookie (a bit like the IdP does) to 
> store,  say, the nameidentifier (in a secure way like a
> cryptoshibhandler) so that when a request hits an SP that does not have a
> session for this user it just fetches the attributes via a backchannel
> call and creates it?

Queries are optional, so I can't rely on that as a load balancing mechanism. 
Logically it is one package of data, and the IdP is under no obligation to 
preserve the identifier's association with the principal for any length of 
time at all, at least in the case of a transient identifier.

> This would be a better solution than a replicated session cache 
> and the sticky sessions stuff don't you think?

I think some form of stickiness works fine in most cases where load balancing 
comes up. I've seen very few apps that rely on zero stickiness. But no, I 
don't think your solution works in the general case. It works in some cases, 
but would be a large amount of additional work that is not on my roadmap.

> The only way would be to do permanent sticky sessions based on the 
> IP  but that would defeat the purpose of having an excelent load 
> balancer like Perlbal...

I don't know anything about Perlbal, but I realize that deferred 
authentication doesn't really work well with a short term session binding. We 
don't defer ours, so the user's first hit to the app sticks for a short time 
while they get logged in and that's it.

-- Scott