Support for non-sticky sessions in spring-security-saml2-core?

I see from http://docs.spring.io/spring-security-saml/docs/1.0.0.RELEASE/reference/html/configuration-advanced.html#configuration-load-balancing that stickysessions are required when using a loadbalancer.

Is there any hope for support for non-sticky sessions in a future release?

-Kaj :)

Solution

There shouldn't be need for sticky sessions in case you replicate your HTTP sessions to all nodes in the cluster. It's also not needed in case you use IDP-initialized SSO without Single Logout. One more option is to add bean EmptyStorageFactory which removes certain validations based on sent AuthnRequest (like checking of InResponseTo field).

There's always hope, but I don't think I'll be writing this anytime soon. Contributions welcome.

How to read value of SAML attribute received from the IdP?
Configuring SAML2: Bypassing 'InResponseTo' Validation While Retaining Default Settings in OpenSaml4AuthenticationProvider
How to configure grails-spring-security-saml plugin version 5.0.0-RC3 for https applications
How to resolve POST Request 405 Error in Spring SAML2 SLO
IDP initiated SAML login error - Authentication statement is too old to be used with value
Signature trust establishment failed for SAML metadata entry
How to execute a filter or handler only once after successful SAML2 login?
Pass URL Parameters to Spring Security custom LogoutSuccessHandler
SSO between web application in IBM WAS 7 and ADFS2.0
Spring Security SAML - Failed to verify signature
How can I force spring-saml-extension to re-authenticate everytime?
Spring SAML Sample application returns Could not initialize class org.apache.commons.ssl.TrustMaterial
Creating SAML repository registrations dynamically in Spring Security (Spring Boot)
No IDP was configured, please update included metadata with at least one IDP
Spring Security SAML2 service provider - RelyingPartyRegistration.entityId() vs RelyingPartyRegistration.assertingPartyDetails(c -> c.entityId())
Spring Boot SAML using AWS SSO as IdP errors with Bad Input
Spring Saml2 and Spring Session - SavedRequest not retrieved (cannot redirect to requested page after authentication / InResponseTo exception)
How do you disable the auto generated pages /login and /logout using Spring SAML2?
How to secure Struts actions with Spring single-sign-on
trusted certificate entries are not password-protected Spring SAML
Spring SAML handshake failure - Failed to validate untrusted credential against trusted key
Claim not found in custom policy for Azure B2C - Saml
Does Azure B2C User Flows support SAML protocol?
Spring Saml not working with latest Spring Security 4.0.0.RELEASE
SAML signing certificate- your role does not have permissions required to manage signing certificates
SAML getting Signature Reference URI did not resolve to the expected parent Element
Create JWT access token from a SAMLAuthenticationToken
How to retrieve SAML SP Metadata from Spring Security 5
SLO fails when SP has timed out
Should SAMLResponse contain extra line breaks?