Default Project CR-7932

OPENAM-1068 In case of session upgrade the SAML IDPCache can lose the ssotoken sessionindex mapping

Closed on 07 Sep 15

  • Author & Moderator
  • Reviewers
    • Reviewer completed
    • Reviewer completed

CR-7932 10

Keyboard shortcuts  
Summarize the review outcomes (optional)


Warning: no files are visible, they have all been filtered.
Participant Role Time Spent Comments Latest Comment
Author & Moderator 2h 6 Extracted this to OPENAM-6776 for better tracking.
Neil Madden (deleted user)
Reviewer completed
Reviewer - Complete 19m 4 Looks good.
Reviewer - Complete 28m    
Reviewer - 72% reviewed 18m    
Total   3h 5m 10  


The main problem is that session upgrade triggers a session destroy for the old session and a new session is created during the upgrade. The solution for me was to introduce a new extension that SAML can utilize to ensure that during a session upgrade the cached data is relocated before IDPSessionListener would capture the destroy event and do its own cleanup job.
If the Saml2SessionUpgradeHandler code looks arbitrary, then that's because I've tried to look at IDPSessionListener and make sure that whatever IDPSessionListener would normally do can't happen during a session upgrade.


Issues Raised From Comments

Key Summary State Assignee

General Comments

19 Aug 15

Neil Madden (deleted user) says:

Looks good.

/a/openam/.../service/ Changed 2
Open in IDE #permalink
/a/openam/.../saml2/profile/ Changed 2
Open in IDE #permalink
/a/openam/.../profile/ Changed 2
Open in IDE #permalink
/a/openam/.../saml2/profile/ Changed
Open in IDE #permalink
/b/.../service/ Added
Open in IDE #permalink
/b/.../authentication/ Added 3
Open in IDE #permalink
/b/.../services/org.forgerock.openam.authentication.service.SessionUpgradeHandler Added
Open in IDE #permalink

Review updated: Reload | Ignore | Collapse

You cannot reload the review while writing a comment.

Create Issue

Assign To Me

Log time against