Problem with client ip address changing
timo.tunturi at aalto.fi
Wed Nov 14 10:55:46 EST 2012
On 11/14/12 5:04 PM, Viitanen Viljo wrote:
>> That may be, but it isn't normally possible. You don't know what attributes the
>> SP may be requiring, no matter what they say or their metadata says, and you
>> have no way to block the issuance of a response based on that.
> I'm not sure what you mean here. We do know which attributes we need in the Finnish Haka federation, and also the one-to-one relationships we have outside the federation.
> I think in the modern world requiring client ip address not to change is broken behavior. Some statistics: during September this year we got 1241 of these errors in the process log. October 1403. This month until yesterday (13th), 1520 . So it's not just some isolated cases here. We're a mid-sized university in Finland with ~15000 students, I wonder how bad the problem is with bigger installations.
Not a single case has been brought to my attention, which doesn't mean
isolated incidents don't happen. We do get those errors where the client
IP address has changed, but just eyeing the logs it appears that it's
just that it's a laptop or something similar taken home from the office
and the IP address has indeed changed.
We get about a million logins per month on the IdP. We are using
uApprove, as well.
Timo Tunturi, Aalto University IT
More information about the users