Skip to Content.
Sympa Menu

shibboleth-dev - Re: Shibboleth doubts

Subject: Shibboleth Developers

List archive

Re: Shibboleth doubts


Chronological Thread 
  • From: SCOTT CANTOR <>
  • To:
  • Subject: Re: Shibboleth doubts
  • Date: Tue, 17 Apr 2007 09:45:11 -0400
  • Priority: normal

> Isn't it possible to use a cookie (a bit like the IdP does) to
> store, say, the nameidentifier (in a secure way like a
> cryptoshibhandler) so that when a request hits an SP that does not have a
> session for this user it just fetches the attributes via a backchannel
> call and creates it?

Queries are optional, so I can't rely on that as a load balancing mechanism.
Logically it is one package of data, and the IdP is under no obligation to
preserve the identifier's association with the principal for any length of
time at all, at least in the case of a transient identifier.

> This would be a better solution than a replicated session cache
> and the sticky sessions stuff don't you think?

I think some form of stickiness works fine in most cases where load balancing
comes up. I've seen very few apps that rely on zero stickiness. But no, I
don't think your solution works in the general case. It works in some cases,
but would be a large amount of additional work that is not on my roadmap.

> The only way would be to do permanent sticky sessions based on the
> IP but that would defeat the purpose of having an excelent load
> balancer like Perlbal...

I don't know anything about Perlbal, but I realize that deferred
authentication doesn't really work well with a short term session binding. We
don't defer ours, so the user's first hit to the app sticks for a short time
while they get logged in and that's it.

-- Scott





Archive powered by MHonArc 2.6.16.

Top of Page