SP is not using X-Forwarded-For behind load balancer

Jeffrey Crawford jeffreyc at ucsc.edu
Thu Mar 15 15:09:44 EDT 2018

I'm trying to move away from using consistentAddress="false" and
checkAddress="false" in our shibboelth config behind a load balancer.

I'm having a bit if trouble getting the sp v 2.6.1 to use X-Forwarded-For
ip address for it's session instead of the LB ip address. I feel like I'm
missing some glue between what Apache sees and what is forwarded to the
shibd process. what I've got so far:

Log entry from http logs showing I am receiving X-Forwarded-For
# [15/Mar/2018:11:55:13 -0700] X-Forwarded-For:
TLSv1.2 DHE-RSA-AES256-GCM-SHA384 "POST /grouper/grouperUi
/app/UiV2Main.indexMain HTTP/1.1" 33851

apache conf file entry:
<Location /grouper>
  AuthType shibboleth
  ShibCompatWith24 On
  ShibUseEnvironment On
  ShibRequestSetting requireSession 1
  ShibRequestSetting REMOTE_ADDR X-Forwarded-For
  Require shib-attr isMemberOf

Result of the shibd log pinning the session to the LB:
# 2018-03-15 11:55:13 INFO Shibboleth.SessionCache [2]: new session
created: ID (_2d195a7d3676f4cf0eb11d8539a3d136) IdP (
Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (

Any pointers welcome


Jeffrey Crawford
Enterprise Service Team <jeffreyc at ucsc.edu>
    ^         ^
   / \  ^    / \    ^
  /   \/ \  /   \  / \
 /        \/     \/   \
/                      \

You have been assigned this mountain to prove to others that it *can* be
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180315/7cd762bf/attachment.html>

More information about the users mailing list