Manually force Shibboleth SP to expire/invalidate all sessions

[Cantor, Scott]

> My intention is to prevent a session with the SP from allowing a user to continue accessing a service when
> they've been disabled in the IdP.  I can do this with V2, and I've opened another thread to understand V3 
> better.

Mike just gave you a way. That *is* the way. You're trying to make this about sessions, but it's not, it's an authorization problem. That's where it should be solved, and it has the benefit that it always works no matter what version, technology, cluster, etc. is being used.

> This is the problem I'm trying to resolve.  In this case the issue is the cached session in the SP. 

It's not. It's about not allowing access to that user. Don't allow access. Done. This doesn't require application changes, even though that's still the best place to enforce the block.

-- Scott