SP 2.5.x sessionHook and SP session termination

Scott Koranda skoranda at gmail.com
Fri Jan 11 12:40:33 EST 2013


For versions >= 2.5 the Shibboleth SP includes the sessionHook
attribute for the <ApplicationDefaults> element as detailed at


The documentation for the sessionHook attribute includes this text:

"The hook MUST either redirect back or take complete ownership of the
client with no further processing by the SP."

As part of "take complete ownership" is there any reason why the hook
could not invoke the logout handler at


to kill the (just created) session with the SP and include a 'return'
query string parameter that then requests a new session
using the simple redirect protocol (.../Shibboleth.sso/Login) and
perhaps session creation parameters?

In particular I would like to use the hook to examine the ISO
timestamp for authentication asserted by the IdP and if I am not
"satisfied" with it then begin a new session initiation process at the
SP and include 'forceAuthn=1' (the authentication method used by the
IdP for this SP does support forced re-authentication).


Scott K

More information about the users mailing list