Manually force Shibboleth SP to expire/invalidate all sessions

[Peter Schober]

* Michael A Grady <mgrady at unicon.net> [2018-02-21 17:42]:
> If the "bottom line" is to prevent a given user from continuing to
> use the service, and you are using Apache HTTPD as a reverse proxy,
> couldn't you add in "negated" group authorization in addition to the
> Shib-based authz rules? I.e. don't allow access to anyone that is a
> member of this group? Using whatever approach the given version of
> the Shib SP, and of Apache HTTPD, you are using:

Nice, stop caring about sessions and lifetimes and logout etc. just
deny autorization to that one subject once you become aware of the
issue.[1]

You'll have to have one way of identifying the subject anyway (unless
you're really into that blunt weapon of restarting shibd each time
you're informed "/someone/ has been blocked at the IDP, kill
everyone's session at the SP now just in case") so just append some
identifier to a file read by the web server (.htaccess if all else
fails) and be done immediately.
With some light scripting you could even unblock those entries again
(to avoid accumulating blocked identities in local web server config)
after the SP's session lifetime has passed (the config file's mtime or
via cron or whatever), since you know they will have been bounced to
the IDP by now.

-peter

[1] That's not a fix in case you have more than one SP to care about,
of course, that one would require admin logout.