Manually force Shibboleth SP to expire/invalidate all sessions
Bee-Lindgren, Bert
bert.bee-lindgren at oit.gatech.edu
Tue Feb 20 15:35:58 EST 2018
Would it be possible to pull something (NameId) from a log file and use that information to synthetically generate a browser-logout-simulating web request?
(We take this approach to disable CAS TGTs after the passwords of hacked accounts are changed.)
Just a thought,
Bert Bee-Lindgren
Georgia Tech
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Tom Noonan <tom at joinroot.com>
Sent: Tuesday, February 20, 2018 3:20 PM
To: Shib Users
Subject: Re: Manually force Shibboleth SP to expire/invalidate all sessions
So there's no way to expire out the known sessions in shibd? That's really what I need, I don't need to logout users at the IdP level.
--Tom Noonan II
On Tue, Feb 20, 2018 at 3:16 PM, Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>> wrote:
> Is there more graceful option than restarting the shibd process?
There's no administrative logout mechanism, and building one would depend on the SAML NameID received, rather than anything one probably would expect to be able to use from outside the running system. But it could potentially be built provided that were known.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180220/afa46062/attachment.html>
More information about the users
mailing list