Shibboleth Developers

[Paul Hethmon <>]

Title: Invalidating IdP Session

Ok, I’ve got a need to have my Shib IdP recognize that a user needs to change their password and direct them to a SP to do that. The password change SP is not the same SP that they tried to access at first. What I would like to have happen is for Shib to authenticate them and send them to the password change SP as an authenticated user. However, I don’t really want Shib to keep a session for them. Instead, I would prefer that once they complete the password change, they get directed to their original SP choice, bounce to the IdP, and then login with the new credentials.

So, in my login handler, I can do everything there except for killing the Shib session. Looking through the developer docs and API’s, it doesn’t seem that that ability would be available to a login handler. I guess this is related in part to SLO and that can be a handler (though my promise to work on it has not gotten too far yet).

So how far into Shib am I going to have to dig to do what I want?

thanks,

Paul

-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----

God does not play dice with the universe; He plays an ineffable game of his own devising, which might be compared, from the perspective of any of the other players, to being involved in an obscure and complex version of poker in a pitch dark room, with blank cards, for infinite stakes, with a dealer who won't tell you the rules, and who smiles all the time.

 -- Terry Pratchett, Good Omens