administratively terminate specific SP session

Scott Koranda skoranda at
Wed Feb 21 11:57:16 EST 2018


Yesterday LIGO took part in a tabletop federated security incident
response drill.

As part of the drill LIGO received notification from an IdP operator
that a compromised federated identity was used to authenticate and then
push a SAML assertion to one of our SPs. 

Coordination between the IdP operator and the LIGO security team allowed
the SP operator to determine details of the assertion and then verify
using the SP transaction.log that the bad actor still had a valid
session with the SP.

Different SPs require different security postures. For certain SPs we
would have immediately shut down the application and the SP. For others
we would have bounced the SP to kill all active sessions. For low risk
SPs it would be desirable to terminate the particular session that is
active for the bad actor and only that session, especially if we knew
that the ability to re-authenticate at the IdP and force a new flow had
been blocked.

Given a session ID from the transaction log (eg.
_ae7b9914292d19c02b6b632edc5e9383 with applicationId 'default' from
AssertionID 'id-KS2cElqrTQ12UzCVm') is it possible to administratively
terminate the SP session, preferably from the command line?

If not, will you entertain a feature request for such capability?


Scott K for LIGO

More information about the users mailing list