administratively terminate specific SP session
Scott Koranda
skoranda at gmail.com
Wed Feb 21 14:09:56 EST 2018
> > The application involved yesterday during the security incident response
> > exercise uses passive or lazy sessions with authorization done by the
> > application.
> >
> > The application uses group-based access control. The group information
> > for an identity is carried by the SAML assertion and hence the SP
> > session maintains it. The application reads it for each access from the
> > SP session.
>
> Apache is pretty powerful in 2.4, I wouldn't dismiss the possibility
> something could be cooked up that allows access if the session isn't
> active but still blocks access other times. That used to be impossible
> but I'm not 100% certain it is now.
We will ponder that. Thanks.
> > Sorry, I am not following?
>
> Joke, I was just thinking one hitch in blocking a user is not knowing
> their ID.
The other is having an IdP reach out to an SP during an actual incident.
I am hoping that will become the norm for higher education identity
federations, but it may take quite some time.
Thanks,
Scott K for LIGO
More information about the users
mailing list