Manually force Shibboleth SP to expire/invalidate all sessions

Eric Goodman Eric.Goodman at
Wed Feb 21 12:55:44 EST 2018

Well, that's a solution if you control every SP in question. I expect Peter's comment was speaking of a more federated environment.

We could just have the IdPs all advertise an OCSP-style "disabled users/nameids" query endpoint, and then there'd be a standard mechanism to handle this use case across IdPs and SPs!

--- Eric

From: users [mailto:users-bounces at] On Behalf Of Michael A Grady
Sent: Wednesday, February 21, 2018 9:53 AM
To: Shib Users
Subject: Re: Manually force Shibboleth SP to expire/invalidate all sessions

On Feb 21, 2018, at 11:17 AM, Peter Schober <peter.schober at<mailto:peter.schober at>> wrote:

1] That's not a fix in case you have more than one SP to care about,
of course, that one would require admin logout.

Not if you did it with an LDAP group membership, and all SPs included that authz block. Then  you could change it in one place. Even with admin logout (unless you mean admin SLO logout starting at the IdP, I suppose that could, at least theoretically, get all SPs), if that was based at the SP, you'd need to do it SP-by-SP, right?

Michael A. Grady
IAM Architect, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list