administratively invalidate user's SSO session(s)

Cantor, Scott cantor.2 at
Fri Jan 14 14:21:11 UTC 2022

On 1/14/22, 8:48 AM, "users on behalf of Simon Lundström" <users-bounces at on behalf of simlu at> wrote:

>    IANAD(eveloper) but shouldn't it be possible for the client storage to
>    set the session ID that you want to logout on a blocklist and when the
>    user hits the IDP again and present the blocked session ID the IDP
>    invalidates/removes it from client storage and sends the user to the
>    login page?

That's a revocation list, but no, because there's no way for anyone else to know the session ID. It has to be done by identity.

-- Scott

More information about the users mailing list