IDP initiated session termination
95 views
Skip to first unread message
Daniel Schwartz
Dec 8, 2020, 11:36:14 AM12/8/20
to SimpleSAMLphp
Hi -
I am looking for a method to terminate all sessions that a particular user might have stored on our IDP. When we disable an account in our IDM system, it disables it in our LDAP (authsource) but if they have an active session on SSP, they can keep reconnecting to various services.
Is there a way that I can trigger a session delete/logout for a user, so that if they reconnect it will check force a check against our authsources (LDAP) before automatically connecting? Is there an easy way to figure out their session id(s) based on their login info (username or email address)? We are using memcache with SSP.
Thanks - Dan
pat...@cirrusidentity.com
Dec 8, 2020, 2:25:02 PM12/8/20
to SimpleSAMLphp
You could prevent the user from accessing additional SPs with their existing IdP session by using authproc filters.
There is an ldap authproc filter so you can load the enabled/disabled attribute from ldap and then you could:
A) use the authorize authproc filter to deny them access
B) creating an authproc filter (or perhaps using the existing php authproc filter) to trigger a saml logout flow if user is disabled.
Option B would try to log them out of any SPs they already have sessions on (assuming those SPs support SAML logout).
Generally B is brittle. User is likely to encounter an error at one of the SPs about log out not working.
If you want to delete their session from memcache you would need to turn up your log level to see what the memcache key is that's being used.
I think authproc filters would be easier.
- Patrick
Daniel Schwartz
Dec 8, 2020, 4:00:55 PM12/8/20
to SimpleSAMLphp
Hi Patrick -
Do you think I could add something to the authproc to store the username/session key in memcache so that I could easily pull that info and wouldn't need to search through log files?
pra...@gmail.com
Dec 9, 2020, 1:39:20 PM12/9/20
to SimpleSAMLphp
You can use
https://simplesamlphp.org/docs/stable/core:authproc_php to run any php code you want
and store whatever you want in memcache with
SimpleSAML\Store::getInstance()->set()
and get the session id with SimpleSAML\SessionHandler::getSessionHandler()->getCookieSessionId()
A user can have multiple sessions if they use multiple devices/browsers so you would need to handle multiple session ids, and of course cleaning up/expiring the data.
- Patrick
Reply all
Reply to author
Forward
0 new messages