administratively terminate specific SP session

Peter Schober peter.schober at
Wed Feb 21 14:27:33 EST 2018

* Scott Koranda <skoranda at> [2018-02-21 20:07]:
> > If that's correct then whatever you do today you could still do with
> > v3, you just can't have it both ways: "stateless clustering" and
> > "server-side session removal" at the same time.
> FWIW, LIGO does not currently operate any SPs that require or desire
> stateless clustering and server-side sessions are working fine.
> Server-side session removal, as detailed on this thread, is a higher
> priority for LIGO than stateless clusterning.

My bad (again) for side-tracking this by a wrong choice if words: I
meant "purely client-side session storage" but wrote "stateless
clustering" since the former was the way to implement the latter
within the Shib IDP.
I.e., you can't have both purely client-side session storage plus
server-side (or server-initiated) termination of said sessions.

So for your use-case it seems adding one memcached to the SP and then
hacking up a script that uses the memcache protocol or API to remove a
session from the session storage backend directly based on session id
comes closest to what you're looking for, is possible today, works
without attributes by the IDP (probably a given in incident response)
-- and at the price of moving session storage from memory to memcached
(or compatible servers), which seems reasonable in my book.


More information about the users mailing list