administratively terminate specific SP session

[Scott Koranda]

> > Given a session ID from the transaction log (eg.
> > _ae7b9914292d19c02b6b632edc5e9383 with applicationId 'default' from
> > AssertionID 'id-KS2cElqrTQ12UzCVm') is it possible to administratively
> > terminate the SP session, preferably from the command line?
> 
> No, it's not.

Thanks for the confirmation.

> > If not, will you entertain a feature request for such capability?
> 
> I'm willing (esp. if it's divorced from having to implement SAML
> administrative logout and let the IdP know) but it won't work with the
> client-side feature in V3 unless we come up with some ugly workaround
> like a session blacklist I guess.

I specifically wrote 'entertain' because I am not convinced, based on
the other thread, the effort would be worth it. Especially if it cannot
be recovered for V3.

> What would make you *not* prefer doing this with the web server or
> application to block authz? That seems like a much better way to do it
> to me...

The application involved yesterday during the security incident response
exercise uses passive or lazy sessions with authorization done by the
application.

The application uses group-based access control. The group information
for an identity is carried by the SAML assertion and hence the SP
session maintains it. The application reads it for each access from the
SP session.

There are many objects in the application using the group-based access
control. There is a global default, but the default can be overridden per
object. There is no good mechanism to find objects that override the
defaults or to reset the access control for all objects.

Put simply, the application does not make it easy to globally change the
authorization for all objects during this type of scenario.

> I hope you say persistent IDs... ;-)

Sorry, I am not following?

Thanks,

Scott K for LIGO