Why is the Value of response not cached under some circumstances even though response is configured to cache value?

Document ID : KB000026287
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Even though "cache value" is selected when siteminder response was created, policy server doesn't cache the value of response under some circumstances andĀ User Directory is always contacted to resolve the responses. Also, when Directory Mapping is used AZ Directory is always contacted during authorization process. Value of authorization is not cached.

Resolution:

There are four different scenarios which should be taken into consideration to understand the issue.

Case1: No Directory Mapping used. No response set.
In this case, UD is contacted during Authentication and the user context is created. During Authorization, user is looked up from the existing context and policy resolution is done. No LDAP calls are made to the user directory. This behaviour is consistent across subsequent calls for the same user.

Case2: No Directory Mapping used. AZ response set.
In this case, UD is contacted during Authentication and the user context is created. During Authorization, UD is always contacted to resolve the response. This happens for every request. AZ responses do not seem to be cached.

Case3: With Directory Mapping used. No response set.
UD is contacted during Authentication and the user context is created. During Authorization, the existing context is not good enough for the user lookup (as the Auth - AZ directory is different). Hence the AZ Directory is contacted (an LDAP call is made to the user directory) and a new context is created.
Contexts are not Cached.
The behaviour is consistent across all subsequent AZ calls for the same user. At code level we see that the "Lookup" is done every time (for an AZ case with directory mapping), which internally calls the "provider search" to search the user in the UD.

Case4: With Directory Mapping used. AZ response set.
This is similar Case 3 above (LDAP calls are made every time for AZ requests), with the additional functionality of resolving the response as in Case 2.


Inference:

There is a difference in the behaviour of policy server when a single Auth-AZ directory is used and when directory mapping is used (different Auth-AZ directory). [No AZ response set in either case.]

When no directory mapping is used, the user context is set during Authentication event. During authorization user is looked up from the existing context and only policy resolution is done (PS checks whether the user is added in the policy). No calls are made to the UD.

In case Auth - AZ directory mapping is configured, the existing context (created during Authentication event) is not good enough for the user lookup (as the Auth - AZ directory is different). Hence the AZ Directory is contacted (an LDAP call is made to the user directory) and a new context is created.
Context are not cached.
The behaviour is consistent across all subsequent AZ calls for the same user and the AZ-UD is contacted for every request.