administratively terminate specific SP session

Tom Noonan tom at
Wed Feb 21 12:04:08 EST 2018

For cross reference I believe this is the same underlying issue I was
asking about in my thread "Manually force Shibboleth SP to
expire/invalidate all sessions."

--Tom Noonan II

On Wed, Feb 21, 2018 at 11:57 AM, Scott Koranda <skoranda at> wrote:

> Hello,
> Yesterday LIGO took part in a tabletop federated security incident
> response drill.
> As part of the drill LIGO received notification from an IdP operator
> that a compromised federated identity was used to authenticate and then
> push a SAML assertion to one of our SPs.
> Coordination between the IdP operator and the LIGO security team allowed
> the SP operator to determine details of the assertion and then verify
> using the SP transaction.log that the bad actor still had a valid
> session with the SP.
> Different SPs require different security postures. For certain SPs we
> would have immediately shut down the application and the SP. For others
> we would have bounced the SP to kill all active sessions. For low risk
> SPs it would be desirable to terminate the particular session that is
> active for the bad actor and only that session, especially if we knew
> that the ability to re-authenticate at the IdP and force a new flow had
> been blocked.
> Given a session ID from the transaction log (eg.
> _ae7b9914292d19c02b6b632edc5e9383 with applicationId 'default' from
> AssertionID 'id-KS2cElqrTQ12UzCVm') is it possible to administratively
> terminate the SP session, preferably from the command line?
> If not, will you entertain a feature request for such capability?
> Thanks,
> Scott K for LIGO
> --
> For Consortium Member technical support, see
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list