Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14179

Additional limitations could be added for stateless sessions

    Details

    • Sprint:
      2019.2 - AM Docs - Hmm
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      No (add reasons in the comment)

      Description

      Had a KB request for this but doesn't make sense to split the info across docs and KB given there is already a section for this: https://backstage.forgerock.com/docs/am/6.5/authentication-guide/#session-state-client-based-limitations 

      Additions are:

      The extra things seen is
       
      a) IDP (Classic SSO) login will add FullLoginURL with the SAMLResponse and this may blow up the Cookie size cause failure
       
      b) SAML2 Custom Authentication module if used and if there is many SAML2 Assertion attributes then these will be added to the Stateless cookie (unless the attributes is not mapped). This also will cause cookie size limit
       
      c) SAML2 SP Adapter may not be able to change session property (for Classic/Legacy/standalone module SAML) as the stateless session may be created. So some of these may need to be done on PAP.

      Please contact @chee-weng.chea for further info if needed

        Attachments

          Activity

            People

            • Assignee:
              cristina.herraz Cristina Herraz
              Reporter:
              dom Dom Reed
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: