Releasing an attribute based on client IP

Ian Young ian at
Tue Dec 1 11:58:39 EST 2015

> On 24 Nov 2015, at 02:35, Peter Schober <peter.schober at> wrote:
> Other than that, the UKfederation had written this extension for IDPv2
> Seemingly for exactly that same use-case of license holders insisting
> on restricting access to certain IP ranges (as if that meant I'm
> physically present!) but who at the same time are unwilling to do the
> management of IP ranges (per institution) that's needed to do just
> that.

FYI, the UKf use case was slightly different: the publisher they allowed access from both on-site (a school) and off-site (a student's home) but had negotiated different license terms for the two situations. To access the resource from the off-site location, the student was expected to pay for a private subscription but use the same credentials.

The case where the student was bright enough to set up some kind of VPN to their school to bypass this was recognised, but the publisher did not regard it as part of the threat model.

    -- Ian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3563 bytes
Desc: not available
URL: <>

More information about the users mailing list