administratively invalidate user's SSO session(s)
cantor.2 at osu.edu
Fri Jan 14 14:21:11 UTC 2022
On 1/14/22, 8:48 AM, "users on behalf of Simon Lundström" <users-bounces at shibboleth.net on behalf of simlu at su.se> wrote:
> IANAD(eveloper) but shouldn't it be possible for the client storage to
> set the session ID that you want to logout on a blocklist and when the
> user hits the IDP again and present the blocked session ID the IDP
> invalidates/removes it from client storage and sends the user to the
> login page?
That's a revocation list, but no, because there's no way for anyone else to know the session ID. It has to be done by identity.
More information about the users