When using artifact resolution, the SPs exchange the artifact for a SAML assertion by directly connecting to the IDP (not via the user's browser).
In deployments with more than one active IAM instance (active-active setups), the instance handling the artifact resolution request must be able to access the information required to issue the SAML assertion.
- There are two ways to achieve this:
- Storing session state in an external Redis session repository. This is the preferred way. This article is not about this way.
- Let IAM internally forward requests to the instance holding the information for creating the SAML assertion. This setup is described in this article.
This article is not about the recommended setup. It describes a way to handle artifact resolution for active-active setups without storing the session state in Redis.
Due to its complexity, the setup described here should only be used if storing the session state in a Redis cluster is not an option.
The SAML IDP implementation supports load-balanced IAM instances by annotating every SAML artifact with an ID identifying the source IDP so that SPs can fetch the Assertion from the correct IDP.