IdP and SP - Should/Could they share Memcache DB?

[arnaldop...@gmail.com]

What are you trying to do?

I have "ip.test.mydomain.com" and "test.mydomain.com".
I currently have a Docker Memcached instance that is shared by the IdP and SP.

Should the Memcached instance be the same between "ip.test.mydomain.com" and "test.mydomain.com"?
Should the Memcached instance be different between "ip.test.mydomain.com" and "test.mydomain.com"?

Does it matter either way?

[Patrick Radtke]

SSP uses a prefix for any data stored in memcache. Set 'memcache_store.prefix' to different values on your IdP and SP to avoid any collisions.

For your testing with Docker it doesn't matter if memcache is shared or not. In a real system you would want to ensure the namespace/prefix for you different SSP installations don't overlap. Otherwise someone could re-use a session from one installation on another.

-Patrick

[Peter Schober]

* <arnaldop...@gmail.com> [2017-06-10 00:09]:

> Should the Memcached instance be the same between
> "ip.test.mydomain.com" and "test.mydomain.com"?

SAML IDPs and SPs communicate via SAML protocol messages, sent via
SAML-defined protocol bindings. They do not share state, and do not
need to share the same implementation (e.g. one could be in Java and
the other in PHP). As such there's certainly no requirement for them
to share anything, including a session store (or the technology for
implementing a session store), otherwise the documentation would say
so.

> Should the Memcached instance be different between
> "ip.test.mydomain.com" and "test.mydomain.com"?

Since they only need to communicate via standard protocols I would
take care to not create any other dependencies, interactions or "tight
coupling" that are not necessary.

-peter