Shibboleth SP3 Premature Session Expiration

Michael Kim michaeljkim at
Wed Dec 19 10:01:39 EST 2018

I agree with you in that it would not be good to verify client address.  The situation I’m in right now causes an issue because my web server and SP is sitting behind an AWS load balancer.  The load balancer can switch between multiple ip addresses without warning.  This causes a problem because the SP can get one or more addresses and expires a session.

I do agree with you though.  I think if we bypassed the load balancer and had everyone simple hit the SP and apache web server, then I’d definitely turn the address checks back on.

Thanks for your help 

> On Dec 19, 2018, at 9:58 AM, Cantor, Scott <cantor.2 at> wrote:
> On 12/19/18, 9:53 AM, "users on behalf of Michael Kim" <users-bounces at on behalf of michaeljkim at> wrote:
>> I think the documentation is fine.  I think what confused me was the examples I see say checkAddress=“false” but no 
>> mention of consistentAddress.  Because people, like myself, who are more generalists and not specialists.  It’s hard to
>> know that they kind of work hand in hand.
> They don't really work hand in hand per se, they're two different things that both have something to do with the client address, but in very different ways, and one of them is much more dangerous than the other.
>> I think it would help if in the example shibboleth xml file to specify both checkAddress=“false” and
>> consistentAddress=“false” also.  
> Since I think a really terrible idea to ever set consistentAddress to false (you add a significant security weakness IMHO), I really don't favor encouraging people to do that.
> -- Scott
> -- 
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list