Client IP address check
IAM David Bantz
dabantz at alaska.edu
Sat Dec 12 23:42:39 UTC 2020
Our IdP behind a load balancer obtains and records the client IP address in
the x-Forwarded-For header.
Users of some services also behind load balancer are nevertheless being
prompted to reauthenticate because
the IdP refuses to proceed with the recently established SSO session,
citing IP address mismatch:
Client address ....114.251 invalid for session 011...bf113 bound to ....0.22
The “bound to” address at the end is the correct client IP address; the
“Client address” at the beginning
is one of the addresses of the load balancer.
Two questions:
What would trigger a Shibboleth SP to request validation or
re-authentication for some users (but not others)?
How is the IdP getting the load balancer IP address as “client address”? -
Does the SP request include what it thinks is the client IP address, or is
the IdP not getting the correct x-Forwarded-For header on this request,
even though it did so on the initial request that established the SSO
session?
David St. Pierre Bantz
U Alaska IAM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201212/70c63148/attachment.htm>
More information about the users
mailing list