administratively invalidate user's SSO session(s)

[Cantor, Scott]

On 1/14/22, 8:48 AM, "users on behalf of Simon Lundström" <users-bounces at shibboleth.net on behalf of simlu at su.se> wrote:

>    IANAD(eveloper) but shouldn't it be possible for the client storage to
>    set the session ID that you want to logout on a blocklist and when the
>    user hits the IDP again and present the blocked session ID the IDP
>    invalidates/removes it from client storage and sends the user to the
>    login page?

That's a revocation list, but no, because there's no way for anyone else to know the session ID. It has to be done by identity.

-- Scott