Manually force Shibboleth SP to expire/invalidate all sessions

Peter Schober peter.schober at
Wed Feb 21 12:17:30 EST 2018

* Michael A Grady <mgrady at> [2018-02-21 17:42]:
> If the "bottom line" is to prevent a given user from continuing to
> use the service, and you are using Apache HTTPD as a reverse proxy,
> couldn't you add in "negated" group authorization in addition to the
> Shib-based authz rules? I.e. don't allow access to anyone that is a
> member of this group? Using whatever approach the given version of
> the Shib SP, and of Apache HTTPD, you are using:

Nice, stop caring about sessions and lifetimes and logout etc. just
deny autorization to that one subject once you become aware of the

You'll have to have one way of identifying the subject anyway (unless
you're really into that blunt weapon of restarting shibd each time
you're informed "/someone/ has been blocked at the IDP, kill
everyone's session at the SP now just in case") so just append some
identifier to a file read by the web server (.htaccess if all else
fails) and be done immediately.
With some light scripting you could even unblock those entries again
(to avoid accumulating blocked identities in local web server config)
after the SP's session lifetime has passed (the config file's mtime or
via cron or whatever), since you know they will have been bounced to
the IDP by now.


[1] That's not a fix in case you have more than one SP to care about,
of course, that one would require admin logout.

More information about the users mailing list