Client IP address check

IAM David Bantz dabantz at
Sat Dec 12 23:42:39 UTC 2020

Our IdP behind a load balancer obtains and records the client IP address in
the x-Forwarded-For header.
Users of some services also behind load balancer are nevertheless being
prompted to reauthenticate because
the IdP refuses to proceed with the recently established SSO session,
citing IP address mismatch:

Client address ....114.251 invalid for session 011...bf113 bound to ....0.22

The “bound to” address at the end is the correct client IP address; the
“Client address” at the beginning
is one of the addresses of the load balancer.

Two questions:

What would trigger a Shibboleth SP to request validation or
re-authentication for some users (but not others)?

How is the IdP getting the load balancer IP address as “client address”? -
Does the SP request include what it thinks is the client IP address, or is
the IdP not getting the correct x-Forwarded-For header on this request,
even though it did so on the initial request that established the SSO

David St. Pierre Bantz
U Alaska IAM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list