Manually force Shibboleth SP to expire/invalidate all sessions

Tom Noonan tom at
Wed Feb 21 09:01:46 EST 2018

And my plan was to run a short 30 minute window to minimize that, until I
realized the reauth redirect was interfering with non-GET operations in our
app.  So I've been forced to turn it up.

I'm currently using the SP as a auth proxy in front of another app. As I
understand the model there will always be a delay between disabling the
user in the IdP and having their sessions expire in the SP as the SP has
it's own sessions.  This can me minimized, but not eliminated, with low
lifetimes but that kills the user experience with frequent redirects to the
IdP.  So, in my opinion after several days of pondering this problem, a
longer session is better for user experience but some sort of
administrative kill switch is needed.  I think that's going to be the best
tradeoff between usability and security.

--Tom Noonan II

On Wed, Feb 21, 2018 at 8:42 AM, Peter Schober <peter.schober at>

> * Tom Noonan <tom at> [2018-02-21 14:37]:
> > the default session lifetime is 8h (the default), then there is an
> > 8h window in which someone could be disabled in the IdP but still
> > access services as their service session is valid.
> Seems to me you're saying that your own session lifetime is to big a
> window of opportinty for you.
> -peter
> --
> For Consortium Member technical support, see
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list