The HttpSSOSessionStore is the default store and is based off the ASP.NET session.
Section 5.6.2 of the Developer Guide PDF describes the DatabaseSSOSessionStore although it doesn't provide a lot of detail around the SessionID property.
The SessionID must uniquely identify the browser session.
The following code demonstrates specifying the DatabaseSSOSessionStore but with a custom mechanism for returning a SessionID.
In this case it's using the ASP.NET anonymous identifier.
SAMLController.SSOSessionStore = new DatabaseSSOSessionStore()
{
SessionIDDelegate = new SessionIDDelegate(SessionIDDelegates.GetSessionIDFromAnonymousID)
};
SessionIDDelegate is defined as:
/// <summary>
/// The session ID delegate returns a unique SSO session identifier.
/// <para>
/// The SSO session identifier must be unique for the user's browser session.
/// It's used to identify which SSO session information is specific to the user's browser session.
/// </para>
/// </summary>
/// <returns>The unique SSO session identifier.</returns>
public delegate string SessionIDDelegate();
One common way to support a SessionID is through a custom cookie whose value is unique per session.
public static string GetSessionIDFromCustomCookie()
{
string sessionID = null;
HttpCookie httpCookie = HttpContext.Current.Request.Cookies["saml-session"];
if (httpCookie != null)
{
sessionID = httpCookie.Value;
}
else
{
sessionID = Guid.NewGuid().ToString();
HttpContext.Current.Response.Cookies.Add(new HttpCookie("saml-session", sessionID));
}
return sessionID;
}
Let me know if you have any other questions.