SubjectConfirmationData Address & IPv6

Aaron Howell aaron.howell at
Thu Jul 25 23:26:27 EDT 2019


We have had reports of from an SP where some users are being blocked and they have informed us that there is an issue with the SAML token from our IdP.

To quote them:
    This seems to be because you are sending the wrong format of saml to us: SubjectConfirmationData Address="[2001:db8:5496:9100:588a:5192:c74:d5c5]”
    This would work if the number was not placed in brackets. a working example would be:Address="2001:db8:5496:9100:588a:5192:c74:d5c5”
    The exact error on this one is "Not an IPv4 or IPv6 address"

I have looked at what I think is the SAML spec for this:
Which states “Address [Required] The SA MUST set the value of the saml:Address attribute to contain the address of the browser in IPv4 dotted decimal format, e.g. “” or in IPv6 address format as described in Section 2.2 of [RFC3513], e.g.,"2001:db8::1". The SC MAY compare the value to the known address of the browser.”

RFC3513 does not appear to have anything about the square bracket syntax - so while I think they should be coping with this format (as I have to presume many others are) - I don’t currently appear to have a lot of ground on to push back on - and I haven’t found a way to configure Shibboleth to behave differently.

Just looking for some guidance on interpreting this situation - and what I should be pursuing to resolve the issue.


Important Notice: The contents of this email are intended solely for the named addressee and are confidential; any unauthorised use, reproduction or storage of the contents is expressly prohibited. If you have received this email in error, please delete it and any attachments immediately and advise the sender by return email or telephone.

Deakin University does not warrant that this email and any attachments are error or virus free.

More information about the users mailing list