Manually force Shibboleth SP to expire/invalidate all sessions
Eric Goodman
Eric.Goodman at ucop.edu
Wed Feb 21 12:55:44 EST 2018
Well, that's a solution if you control every SP in question. I expect Peter's comment was speaking of a more federated environment.
We could just have the IdPs all advertise an OCSP-style "disabled users/nameids" query endpoint, and then there'd be a standard mechanism to handle this use case across IdPs and SPs!
--- Eric
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Michael A Grady
Sent: Wednesday, February 21, 2018 9:53 AM
To: Shib Users
Subject: Re: Manually force Shibboleth SP to expire/invalidate all sessions
On Feb 21, 2018, at 11:17 AM, Peter Schober <peter.schober at univie.ac.at<mailto:peter.schober at univie.ac.at>> wrote:
1] That's not a fix in case you have more than one SP to care about,
of course, that one would require admin logout.
Not if you did it with an LDAP group membership, and all SPs included that authz block. Then you could change it in one place. Even with admin logout (unless you mean admin SLO logout starting at the IdP, I suppose that could, at least theoretically, get all SPs), if that was based at the SP, you'd need to do it SP-by-SP, right?
--
Michael A. Grady
IAM Architect, Unicon, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180221/cd967a9c/attachment.html>
More information about the users
mailing list