Shibboleth SP3 Premature Session Expiration

Cantor, Scott cantor.2 at
Wed Dec 19 09:58:16 EST 2018

On 12/19/18, 9:53 AM, "users on behalf of Michael Kim" <users-bounces at on behalf of michaeljkim at> wrote:

> I think the documentation is fine.  I think what confused me was the examples I see say checkAddress=“false” but no 
> mention of consistentAddress.  Because people, like myself, who are more generalists and not specialists.  It’s hard to
> know that they kind of work hand in hand.

They don't really work hand in hand per se, they're two different things that both have something to do with the client address, but in very different ways, and one of them is much more dangerous than the other.

>  I think it would help if in the example shibboleth xml file to specify both checkAddress=“false” and
> consistentAddress=“false” also.  

Since I think a really terrible idea to ever set consistentAddress to false (you add a significant security weakness IMHO), I really don't favor encouraging people to do that.

-- Scott

More information about the users mailing list