How do I configure how long the SAML AuthnRequest remains in cache in AM (All versions)?
The purpose of this article is to provide information on configuring how long the SAML AuthnRequest (request ID) remains in the cache in AM. By default, the cache is cleared every 10 minutes. Cached details include the AuthRequest and the artifact ID.
1 reader recommends this article
The cache is cleared every 10 minutes by default, but you may want to consider increasing this interval if you keep seeing the following error in the Federation debug log:ERROR: IDPSSOFederate.doSSOFederate: Unable to get AuthnRequest from cache, sending error response
This error means that the SAML AuthnRequest is missing from the local cache; this can be caused by timeout or by a misrouted request in a multi-instance environment where stickiness is not available. If it is a timeout issue, increasing the cache cleanup interval would prevent these errors.
Configuring how long the SAML AuthnRequest remains in the cache
You can configure how long the SAML AuthnRequest remains in the cache using either the AM admin UI or ssoadm:
- AM admin UI: navigate to: Configure > Global Services > SAMLv2 Service Configuration > Cache cleanup interval and enter the number of seconds that you want the AuthnRequest to remain in the cache. Once this time elapses, the cache is cleared.
- ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s sunFAMSAML2Configuration -t global -u [adminID] -f [passwordfile] -a CacheCleanupInterval=[seconds]replacing [adminID], [passwordfile] and [seconds] with appropriate values.
You must restart the web application container in which AM runs to apply these configuration changes.
You cannot disable this cache; setting the Cache cleanup interval to 0 will cause a divide by zero exception during initialization of the SPCache:
java.lang.ArithmeticException: / by zero.
Related Issue Tracker IDs