idp.session.consistentAddress and real security implications.
Simon Lundström
simlu at su.se
Tue Apr 26 03:33:41 EDT 2016
With risk of my answer becoming an answer of an XY problem:
To deal with this, get SPNEGO support on your IDP. Then your users don't
have to type their username and password at least.
BR,
- Simon
On Mon, 2016-04-25 at 12:55:50 -0500, Dan Oachs wrote:
> I am also curious to hear others thoughts on this. In our environment we
> decided to disable consistentAddress as well. The reason was due to IPv6,
> dual homed computers, and how most OS's these days auto generate new IPv6
> addresses frequently. Another issue was with laptops with docking stations
> that that are connected and disconnected frequently. In all these cases
> users would change ip addresses fairly often and needing to log in multiple
> times in an afternoon was a bit much.
>
> Thanks,
> Dan Oachs
>
>
> On 04/25/2016 12:11 PM, Jeffrey Crawford wrote:
> > We've been getting increasing complaints, especially from mobile users
> > that move between 4G/3G and wifi, that they are loosing their IdP SSO
> > sessions.
> >
> > Therefore I've been asked to get some concrete data about how much
> > security consistentAddress adds to the IdP sessions, or in other words
> > how much security we lose be disabling it.
> >
> > Thanks
> >
> > Jeffrey
> > C.
> >
> > Both pilots and IT professionals require training and currency before
> > charging into clouds!
> > ---------------------------------------
> >
> >
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list