SP 2.5.x sessionHook and SP session termination

Cantor, Scott cantor.2 at osu.edu
Fri Jan 11 12:50:48 EST 2013


On 1/11/13 12:40 PM, "Scott Koranda" <skoranda at gmail.com> wrote:

>As part of "take complete ownership" is there any reason why the hook
>could not invoke the logout handler at
>
>.../Shibboleth.sso/Logout
>
>to kill the (just created) session with the SP and include a 'return'
>query string parameter that then requests a new session
>using the simple redirect protocol (.../Shibboleth.sso/Login) and
>perhaps session creation parameters?

Not that I can think of. I don't think there's anything left for the
mainline code to do but get to the resource, so I don't think that would
hurt anything.

One possible issue, thinking ahead, is that the default logout support
does check for SAML 2 logout support first, and that might get in your way
here. Another problem, per the recent dev conversation, is that the IdP
now has design limitations around use of ForceAuthn out of the box when
you change user identity. Neither specifically pertains to your question,
just thinking about the whole picture.

>In particular I would like to use the hook to examine the ISO
>timestamp for authentication asserted by the IdP and if I am not
>"satisfied" with it then begin a new session initiation process at the
>SP and include 'forceAuthn=1' (the authentication method used by the
>IdP for this SP does support forced re-authentication).

You might also be able to do that with the maxTimeSinceAuthn option +
redirectErrors, but it might be easier your way.

-- Scott




More information about the users mailing list