administratively terminate specific SP session

Peter Schober peter.schober at
Wed Feb 21 13:29:27 EST 2018

* Cantor, Scott <cantor.2 at> [2018-02-21 19:23]:
> > But could I locate (and possibly remove) the session information from
> > a suitable storage service, by interacting with the storage backend
> > itself?  (Returning to my cross-over topic of a clusterd memcached
> > storage backend, even though introducing something like that solely to
> > block subjects based on session IDs seems overkill.)
> Yes, it's just the documented/undocumented problem. Without a
> supported API, we can change the storage format and break something
> doing that. Same reason I had to add an API for lockout mangagement
> in the IdP, manipulating the storage breaks the encapsulation.

I was thinking of consent as a similar case. (The JSON of the
records and the index is simple enough so that folks that need out of
bands-revoking could talk to the storage backend, until the format
changes, etc.)

> But yes, it's a very easy to figure out storage layout.

So that's definitively something you could put on your SP if you
really needed to lock out someone and only had a session id to go on.
Everything else (httpd authz included) requires attributes, I guess.


More information about the users mailing list