Highlighted
Absent Member.
Absent Member.
316 views

Does Identity server Cache attribute values?


I have a saml2.0 SP configured and I am sending a few attributes in the
auth response & based on the attribute values, the user gets logged in
to the SP site. I am using Active directory as the identity store. I
changed the values of attributes and when I try to login to the SP, it
still seems to get the old value from the IDP. The attribute value was
changed on the same AD server that is being used as the identity store.
So replication delay between AD servers is out of question.

So does the IDP poll the AD servers at certain intervals and cache the
values for use next time so that it does query the AD server often? if
so, Is there a way to reduce the time it caches the value to maintain
cache freshness?

-Naresh


--
nareshbk
------------------------------------------------------------------------
nareshbk's Profile: http://forums.novell.com/member.php?userid=43220
View this thread: http://forums.novell.com/showthread.php?t=452616

0 Likes
3 Replies
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Does Identity server Cache attribute values?

nareshbk wrote:

>
> I have a saml2.0 SP configured and I am sending a few attributes in
> the auth response & based on the attribute values, the user gets
> logged in to the SP site. I am using Active directory as the identity
> store. I changed the values of attributes and when I try to login to
> the SP, it still seems to get the old value from the IDP. The
> attribute value was changed on the same AD server that is being used
> as the identity store. So replication delay between AD servers is
> out of question.
>
> So does the IDP poll the AD servers at certain intervals and cache the
> values for use next time so that it does query the AD server often? if
> so, Is there a way to reduce the time it caches the value to maintain
> cache freshness?


I know you can configure this for Identity Injection and FF policies
but as far as I'm aware the attributes that are being sent across in a
assertion are not cached anywhere. Did you do a LDAP query against the
DC you are using to verify that the values are really updated?

--
Cheers,
Edward
0 Likes
Absent Member.
Absent Member.

Re: Does Identity server Cache attribute values?


Yes I did. the values are all upto date. I looks like the user is not
completely logged off and hence the IDP still uses the old value in the
session. I was told by Novell support once that attributes used in SAML
are indeed cached in the IDP but only for that session. I made sure the
cache was cleared and restarted the browser. then the issue went away.
To make sure AD replication is not an issue, we reduced the time
interval and also removed the server replica in NAM config that were in
distant sites.

Now I am into another issue. Some of the users still get the invalid
email error and looking at the debug catalina logs, i could see that NAM
is not passing the correct attribute value in the assertion. Google
needs the email address to be sent that it can compare with its list and
allows access. But since NAM is sending some other value, users are
getting invalid email errors.

I used the same metadata text in the coolsolutions tid. the name id
format is emailAddress and I am sending "otherMailbox" attribute value
in the auth response instead of CN. but still it is sending some other
attribute value that looks like an email address in the LDAP store.


--
nareshbk
------------------------------------------------------------------------
nareshbk's Profile: http://forums.novell.com/member.php?userid=43220
View this thread: http://forums.novell.com/showthread.php?t=452616

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Does Identity server Cache attribute values?

nareshbk wrote:

>
> Yes I did. the values are all upto date. I looks like the user is not
> completely logged off and hence the IDP still uses the old value in
> the session. I was told by Novell support once that attributes used
> in SAML are indeed cached in the IDP but only for that session. I
> made sure the cache was cleared and restarted the browser. then the
> issue went away. To make sure AD replication is not an issue, we
> reduced the time interval and also removed the server replica in NAM
> config that were in distant sites.
>
> Now I am into another issue. Some of the users still get the invalid
> email error and looking at the debug catalina logs, i could see that
> NAM is not passing the correct attribute value in the assertion.
> Google needs the email address to be sent that it can compare with
> its list and allows access. But since NAM is sending some other
> value, users are getting invalid email errors.


What other value is NAM sending then, as in, is it the value of a
different attribute or some complete random value? Are you using the
attribute called 'mail'?



--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.