Found the solution (thanks to Support). Sharing it for who is interested: Within Splunk all user session timeouts are the result of inactivity, so we effectively only close sessions if they exceed the configured idle time and we provide no mechanism to force sessions to expire/terminate. However, while it's not a supported feature we do track session tokens, so you could fashion your own solution to delete specific tokens (authentication/httpauth-tokens): https://docs.splunk.com/Documentation/Splunk/7.2.1/RESTREF/RESTaccess#authentication.2Fhttpauth-tokens.2F.7Bname.7D You could query the endpoint to list out all session tokens, then delete the token, for example: curl -k -u admin:changeme https://localhost:8089/services/authentication/httpauth-tokens curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authentication/httpauth-tokens/vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK As mentioned above we provide no official mechanism for doing this, but you should be able to use the above to achieve the same result. Alternatively, since you have CA-Siteminder you should be able to enforce session time limits, through WebAgent-OnAuthAccept-Session-MaxTimeout for example - just note that I am not overly familiar with CA-Siteminder so can't advise on how this should be configured. ... View more