idp.session.consistentAddress and real security implications.

Dan Oachs doachs at
Mon Apr 25 13:55:50 EDT 2016

I am also curious to hear others thoughts on this.  In our environment 
we decided to disable consistentAddress as well.  The reason was due to 
IPv6, dual homed computers,  and how most OS's these days auto generate 
new IPv6 addresses frequently.  Another issue was with laptops with 
docking stations that that are connected and disconnected frequently.  
In all these cases users would change ip addresses fairly often and 
needing to log in multiple times in an afternoon was a bit much.

         Dan Oachs

On 04/25/2016 12:11 PM, Jeffrey Crawford wrote:
> We've been getting increasing complaints, especially from mobile users 
> that move between 4G/3G and wifi, that they are loosing their IdP SSO 
> sessions.
> Therefore I've been asked to get some concrete data about how much 
> security consistentAddress adds to the IdP sessions, or in other words 
> how much security we lose be disabling it.
> Thanks
> Jeffrey
> ​C​.
> Both pilots and IT professionals require training and currency before 
> charging into clouds!
> ---------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3697 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the users mailing list