administratively terminate specific SP session

Scott Koranda skoranda at
Wed Feb 21 14:09:56 EST 2018

> > The application involved yesterday during the security incident response
> > exercise uses passive or lazy sessions with authorization done by the
> > application.
> > 
> > The application uses group-based access control. The group information
> > for an identity is carried by the SAML assertion and hence the SP
> > session maintains it. The application reads it for each access from the
> > SP session.
> Apache is pretty powerful in 2.4, I wouldn't dismiss the possibility
> something could be cooked up that allows access if the session isn't
> active but still blocks access other times. That used to be impossible
> but I'm not 100% certain it is now.

We will ponder that. Thanks.

> > Sorry, I am not following?
> Joke, I was just thinking one hitch in blocking a user is not knowing
> their ID.

The other is having an IdP reach out to an SP during an actual incident.
I am hoping that will become the norm for higher education identity
federations, but it may take quite some time.


Scott K for LIGO

More information about the users mailing list