OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] Server-Side State and Stateful Sessions


> The challenge here is that database lookup is now required *everytime* the
> user accesses a resource. Otherwise, we might unknowingly permit access
> even with an invalid session.

The word database is maybe a bit strong, but yeah, some kind of "state"
access.

> To my knowledge, most commercial web access systems avoid this type of
> architecture as it is unlikely to scale under load. I do have to express
> my concern that the SAML 2.0 specification is mandating features 
> that have yet to be proven to scale in deployments.

Well, I guess I'd say that in fact some systems *do* work like this and they
scale for some definition of "scale".

Maybe one way to look at it is that if there are simply not means to support
the feature and scale to level X, then you maybe don't deploy the feature if
you have to scale to level X, but could if you deploy to level Y < X.
Presumably, X and Y are a basis of competition among implementations (said
the guy who doesn't sell his ;-)

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]