We have SAML 2.0 Assertion Provider configured in WLS(version 10.3.6.0). We get the SAML cookie from an IDM server. WLS request SAML cookie and populate the security context accordingly. We can see the SAML cookie details in the WLS log.
We have a web service which is used to manipulate/update a flag in the LDAP. First time when a user logs into a portal, we get a value for this flag. We call this web service to flip the flag in the LDAP. The user logs out and log in back to the portal. The expected behavior is that the user should see the modified value. But the user see the previous value of the flag. But in WLS log, we could see the modified value in the SAML cookie.
If we bounce the server and log in back with the same user, we could see the modified flag value. From this it is clear that the SAML cookie is cached in WLS. And it is mentioned in the below documentation that: WebLogic Server maintains a cache of used assertions so that it can support a single-use policy for assertions. http://docs.oracle.com/cd/E23943_01/web.1111/e13707/saml.htm
Solutions Already Tried+:
1. We found one documentation where it says that, " *LoginModules may not be called if the Subject is cached. The -Dweblogic.security.identityAssertionTTL flag can be used to affect this behavior (for example, to modify the default TTL of 5 minutes or to disable the cache by setting the flag to -1)*"
http://docs.oracle.com/cd/E15051_01/wls/docs103/dvspisec/ia.html. We tried setting this flag in the setDomainEnv.sh file. But it is of no use.
2. Setting the cache time out parameter in WLS. Environment > Servers > ServerName > Configuration > Federation Services > SAML 2.0 Service Provider- Tab. Set the Authentication Request Cache Timeout to 30 seconds which was previously set to 300 Seconds.
But none of the above solutions resolved the issue.
Can any one please provide a solution to disable this cache or to overcome this scenario. Any help is highly appreciated
Please let me know if any other information is required.