administratively terminate specific SP session

[Tom Noonan]

For cross reference I believe this is the same underlying issue I was
asking about in my thread "Manually force Shibboleth SP to
expire/invalidate all sessions."

--Tom Noonan II

On Wed, Feb 21, 2018 at 11:57 AM, Scott Koranda <skoranda at gmail.com> wrote:

> Hello,
>
> Yesterday LIGO took part in a tabletop federated security incident
> response drill.
>
> As part of the drill LIGO received notification from an IdP operator
> that a compromised federated identity was used to authenticate and then
> push a SAML assertion to one of our SPs.
>
> Coordination between the IdP operator and the LIGO security team allowed
> the SP operator to determine details of the assertion and then verify
> using the SP transaction.log that the bad actor still had a valid
> session with the SP.
>
> Different SPs require different security postures. For certain SPs we
> would have immediately shut down the application and the SP. For others
> we would have bounced the SP to kill all active sessions. For low risk
> SPs it would be desirable to terminate the particular session that is
> active for the bad actor and only that session, especially if we knew
> that the ability to re-authenticate at the IdP and force a new flow had
> been blocked.
>
> Given a session ID from the transaction log (eg.
> _ae7b9914292d19c02b6b632edc5e9383 with applicationId 'default' from
> AssertionID 'id-KS2cElqrTQ12UzCVm') is it possible to administratively
> terminate the SP session, preferably from the command line?
>
> If not, will you entertain a feature request for such capability?
>
> Thanks,
>
> Scott K for LIGO
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180221/be40d67d/attachment.html>