administratively terminate specific SP session
Peter Schober
peter.schober at univie.ac.at
Wed Feb 21 13:29:27 EST 2018
* Cantor, Scott <cantor.2 at osu.edu> [2018-02-21 19:23]:
> > But could I locate (and possibly remove) the session information from
> > a suitable storage service, by interacting with the storage backend
> > itself? (Returning to my cross-over topic of a clusterd memcached
> > storage backend, even though introducing something like that solely to
> > block subjects based on session IDs seems overkill.)
>
> Yes, it's just the documented/undocumented problem. Without a
> supported API, we can change the storage format and break something
> doing that. Same reason I had to add an API for lockout mangagement
> in the IdP, manipulating the storage breaks the encapsulation.
I was thinking of consent as a similar case. (The JSON of the
records and the index is simple enough so that folks that need out of
bands-revoking could talk to the storage backend, until the format
changes, etc.)
> But yes, it's a very easy to figure out storage layout.
So that's definitively something you could put on your SP if you
really needed to lock out someone and only had a session id to go on.
Everything else (httpd authz included) requires attributes, I guess.
-peter
More information about the users
mailing list