Replying to my own post, I'm including some information that Peter Schober drew to my attention in a private email.
One possible approach to avoiding shared state (and thus avoiding Terracotta!) is documented here:
It seems that SAML1 attribute pull (which is the specific aspect of SAML1 authentication that I was bothered about) can be supported with the "CryptoTransient" stuff referred to under "Attribute Queries" near the bottom of that page.
On 14/02/2013 14:45, Sara Hopkins wrote:
> Hi Matthew,
> On 14/02/2013 14:38, Matthew Slowe wrote:
>> We'd like some way to scale horizontally if we need to when Office365
>> goes live but, actually, thinking about it... I don't think the
>> methods that Office365 uses needs to store any state so this may be a
>> completely moot point anyway.
> Yes, but there would still be other things that do need to share state,
> eg. authentication with SAML1-based SPs. Can you ensure that the
> SAML1-based authentications are confined to a single server and don't
> get farmed out anywhere else?
UK Access Management Federation for Education and Research
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.