Manually force Shibboleth SP to expire/invalidate all sessions

Bee-Lindgren, Bert bert.bee-lindgren at
Tue Feb 20 15:35:58 EST 2018

Would it be possible to pull something (NameId) from a log file and use that information to synthetically generate a browser-logout-simulating web request?

(We take this approach to disable CAS TGTs after the passwords of hacked accounts are changed.)

Just a thought,

  Bert Bee-Lindgren

  Georgia Tech

From: users <users-bounces at> on behalf of Tom Noonan <tom at>
Sent: Tuesday, February 20, 2018 3:20 PM
To: Shib Users
Subject: Re: Manually force Shibboleth SP to expire/invalidate all sessions

So there's no way to expire out the known sessions in shibd?  That's really what I need, I don't need to logout users at the IdP level.

--Tom Noonan II

On Tue, Feb 20, 2018 at 3:16 PM, Cantor, Scott <cantor.2 at<mailto:cantor.2 at>> wrote:
> Is there more graceful option than restarting the shibd process?

There's no administrative logout mechanism, and building one would depend on the SAML NameID received, rather than anything one probably would expect to be able to use from outside the running system. But it could potentially be built provided that were known.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list