administratively terminate specific SP session

[Cantor, Scott]

> I specifically wrote 'entertain' because I am not convinced, based on
> the other thread, the effort would be worth it. Especially if it cannot
> be recovered for V3.

Dumping all the sessions is still easy, but blocking only one would be impossible without a distributed blacklist. I already probably have to use an XML file to manage the keys, so that's probably where it would end up.

> The application involved yesterday during the security incident response
> exercise uses passive or lazy sessions with authorization done by the
> application.
> 
> The application uses group-based access control. The group information
> for an identity is carried by the SAML assertion and hence the SP
> session maintains it. The application reads it for each access from the
> SP session.

Apache is pretty powerful in 2.4, I wouldn't dismiss the possibility something could be cooked up that allows access if the session isn't active but still blocks access other times. That used to be impossible but I'm not 100% certain it is now.

> Sorry, I am not following?

Joke, I was just thinking one hitch in blocking a user is not knowing their ID.

-- Scott