administratively invalidate user's SSO session(s)

Cantor, Scott cantor.2 at osu.edu
Wed Jan 19 00:57:28 UTC 2022


On 1/18/22, 7:47 PM, "users on behalf of IAM David Bantz" <users-bounces at shibboleth.net on behalf of dabantz at alaska.edu> wrote:

>    Passing on reverse engineering the ‘not really documented’ session store to find and remove SSO sessions,
> but still seeking to render illicit SSO sessions useless, is the following feasible: 

There'a a supported way for interceptor flows to signal back they want to redo authentication (event ID is RestartAuthentication), but it leaves the interceptor with the responsibility to change the internal state of the session to prevent SSO from just happening again. It takes work and knowledge of the system internals.

You basically have to use APIs into the SessionManager to remove the stored authentication results that would allow for SSO so that when it restarts the process, they're not there anymore and it's forced back into a new login sequence.

-- Scott




More information about the users mailing list