administratively terminate specific SP session
peter.schober at univie.ac.at
Wed Feb 21 14:27:33 EST 2018
* Scott Koranda <skoranda at gmail.com> [2018-02-21 20:07]:
> > If that's correct then whatever you do today you could still do with
> > v3, you just can't have it both ways: "stateless clustering" and
> > "server-side session removal" at the same time.
> FWIW, LIGO does not currently operate any SPs that require or desire
> stateless clustering and server-side sessions are working fine.
> Server-side session removal, as detailed on this thread, is a higher
> priority for LIGO than stateless clusterning.
My bad (again) for side-tracking this by a wrong choice if words: I
meant "purely client-side session storage" but wrote "stateless
clustering" since the former was the way to implement the latter
within the Shib IDP.
I.e., you can't have both purely client-side session storage plus
server-side (or server-initiated) termination of said sessions.
So for your use-case it seems adding one memcached to the SP and then
hacking up a script that uses the memcache protocol or API to remove a
session from the session storage backend directly based on session id
comes closest to what you're looking for, is possible today, works
without attributes by the IDP (probably a given in incident response)
-- and at the price of moving session storage from memory to memcached
(or compatible servers), which seems reasonable in my book.
More information about the users