The Shibboleth IdP V4 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP5 wiki space for current documentation on the supported version.

RevocationCacheManagement

This interface provides a mechanism managing the contents of an instance of the RevocationCache class, which in turn is layered on a pluggable StorageService. The most common use for this interface is to manage revocation records in support of the AdministrativeLogout feature, but it is generic and can be used to manage records in other RevocationCache instances, such as those used in the OIDC OP plugin.

The interface is a simple REST API via an administrative flow located at the path /idp/profile/admin/revocation and access is blocked by default. Like all administrative features, you have the ability to customize authentication and access control.

To the base path you must append:

/<RevocationCacheBeanID>/<context>/<key>

The bean ID specifies the specific bean of type RevocationCache. The context and key values will depend on the use case (e.g., see AdministrativeLogout for an example, also the examples below).

These HTTP methods are supported:

  1. GET – query for a revocation record matching a particular key

  2. PUT/POST – create or update the expiration of a revocation record

    1. The request body must contain the URL encoded parameter value (the record value to store), and optionally duration (record lifetime in seconds or in XML duration syntax).

  3. DELETE – remove a revocation record manually

Example revocation operations
$ curl -ik "https://localhost/idp/profile/admin/revocation/shibboleth.AuthnRevocationCache/LoginFlowRevocation/prin%21jdoe" HTTP/1.1 200 OK Content-Type: application/json;charset=utf-8 { "data" : { "type" : "revocation-records", "id" : "shibboleth.AuthnRevocationCache/prin!jdoe", "attributes" : { "revocation" : 1659638895 } } } $ curl -X PUT --data "value=1659638895" -ik "https://localhost/idp/profile/admin/revocation/shibboleth.AuthnRevocationCache/LoginFlowRevocation/prin%21jdoe" HTTP 1.1/202 Accepted $ curl -X DELETE -ik "https://localhost/idp/profile/admin/revocation/shibboleth.AuthnRevocationCache/LoginFlowRevocation/prin%21jdoe" HTTP/1.1 204 No Content

Reference

The general properties configuring this flow via admin/admin.properties are:

Name

Default

Description

Name

Default

Description

idp.revocation.logging

Revocation

Audit log identifier for flow

idp.revocation.accessPolicy

AccessDenied

Name of access control policy for request authorization

idp.revocation.authenticated

false

Whether authentication should be performed prior to access control evaluation

idp.revocation.nonBrowserSupported

false

Whether the flow should allow for non-browser clients during authentication

idp.revocation.resolveAttributes

false

Whether attributes should be resolved prior to access control evaluation

To replace the internally defined flow descriptor bean, the following XML is required:

<util:list id="shibboleth.AvailableAdminFlows"> <bean parent="shibboleth.AdminFlow" c:id="http://shibboleth.net/ns/profiles/revocation" p:loggingId="%{idp.revocation.logging:Revocation}" p:policyName="%{idp.revocation.accessPolicy:AccessDenied}" p:nonBrowserSupported="%{idp.revocation.nonBrowserSupported:false}" p:authenticated="%{idp.revocation.authenticated:false}" p:resolveAttributes="%{idp.l.resolveAttributes:false}" /> </util:list>

In older versions and upgraded systems, this list is defined in conf/admin/general-admin.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.