Terminate session if user does not accept terms&conditions

[Oluf Færø]

I have enabled the "terms-of-use” intercept flow for SAML2 request.

The Terms Of Use page is display after successful authentication of the user. 

To allow the user to reject the terms I have added a button where the user can submit TermsRejected to the IDP.

Basically added the following form to the terms-of-use.vm page:

<form action="$flowExecutionUrl" method="post">
    <input type="submit" name="_eventId_TermsRejected" id="confirmCancelButton"value="Reject terms" >
</form>

In the error handling configuration (conf/errors.xml) the TermsRejected-key is mapped to the “shibboleth.SAML2Status.AuthnFailed” value.

The behaviour is that if a user rejects the terms an AuthnFailed response is sent back to the service provider.

But unfortunately rejection of the terms does not terminate the user session on the IDP. If the user is redirected back to the IDP to authenticate he is sent directly to the Terms-Of-Use page — and not required to authenticate as the previous session is still active.

Is it possible to configure Shibboleth to only establish the user session after the terms-of-use are approved by the user ?

If not, is it possible to terminate the user session if the user submits “TermsRejected” to the IDP flow ?