Manually force Shibboleth SP to expire/invalidate all sessions

[Michael A Grady]

If the "bottom line" is to prevent a given user from continuing to use the service, and you are using Apache HTTPD as a reverse proxy, couldn't you add in "negated" group authorization in addition to the Shib-based authz rules? I.e. don't allow access to anyone that is a member of this group? Using whatever approach the given version of the Shib SP, and of Apache HTTPD, you are using:

  https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions <https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions>


> On Feb 21, 2018, at 10:33 AM, Tom Noonan <tom at joinroot.com> wrote:
> 
> No worries, I appreciate the help in any case!
> 
> --Tom Noonan II
> 
> On Wed, Feb 21, 2018 at 11:30 AM, Peter Schober <peter.schober at univie.ac.at <mailto:peter.schober at univie.ac.at>> wrote:
> * Tom Noonan <tom at joinroot.com <mailto:tom at joinroot.com>> [2018-02-21 17:23]:
> > I'm not using memcached.  I think there is some confusion with another
> > thread.
> 
> Indeed, apologies. I was referring to a hijacked thread that at one
> point changed its subject to "Shibboleth SP clustering using shared
> database", where someone wanted to cluster Apache httpd with Shib as a
> reverse proxy to another resource.
> That latter part is what caused me to chase you down a road you had no
> intention of going.
> -peter

--
Michael A. Grady
IAM Architect, Unicon, Inc.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180221/eb18ef1e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: Message signed with OpenPGP
URL: <http://shibboleth.net/pipermail/users/attachments/20180221/eb18ef1e/attachment.sig>