Carefully consider this concept to ensure optimum configuration.

This section focuses on the individual cache options that you can set at the attribute level. See Configuring Trust Framework attribute caching for development or Configuring Trust Framework attribute caching for production for more information.

Attribute caching can be indefinite or time-limited, with or without the scope of another attribute value:

  • With time-limited caching, you set the duration for which the cache lives (Time to Live) before it expires.
  • With Scope set to an attribute, if the value of that attribute changes, the system invalidates the cache for the attribute you are defining.
    • In the example below, as long as the sessionId value remains the same, the value of the attribute you are defining is cached. When the sessionId changes, the system invalidates the cache and uses normal resolution.

      Screen capture of the Caching section settings for a Trust Framework attribute

Attribute caching uses a one-level approach where cache entries are stored and retrieved from the single configured cache type. If the attribute does not exist in the cache, the PDP resolves the attribute automatically by using the appropriate attribute resolvers and then adds it to the cache. All subsequent attribute usages use the cached value until it expires from the cache, which results in another attribute resolution.


The cache key for a Trust Framework attribute value includes a hash of the values required for it to resolve. If one of these values changes, the cache key automatically becomes invalid. You can think of this arrangement as an aggregation of Scope parameters that guard against inconsistencies between your cached values.