Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deactive SSO and keep Context Handler stateless #3

Open
strandbygaard opened this issue Jun 7, 2016 · 0 comments
Open

Deactive SSO and keep Context Handler stateless #3

strandbygaard opened this issue Jun 7, 2016 · 0 comments
Labels
enhancement

Comments

@strandbygaard
Copy link
Member

SSO is a problem with SAML2 scoping to upstream IdP, because the upstream IdP will only send JFR for the US the user is logging in to. When the user then get's SSO to another US, then the original token from upstream IdP will not contain JFR for the second US.

Effectively that means, that if context handler uses SSO, the the token from upstream IdP must contain all JFR.

Since the user normally has SSO with upstream IdP (e.g. municipality or NemLog-In) disabling SSO would have limited impact on the end users.

On the positive side, disabling SSO on context handler would make it possible to use scoping upstream IdP, and would reduce the memory pressure of CH, which would increase the performance. This would be most noticeable with STSI-680 because of its requirement to keep bootstrap token in memory.
@strandbygaard strandbygaard changed the title Deactive SSO and keep Context Handler state-free Deactive SSO and keep Context Handler stateless Jun 7, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@strandbygaard