Client IP address check

Cantor, Scott cantor.2 at
Mon Dec 14 14:16:15 UTC 2020

On 12/12/20, 6:42 PM, "users on behalf of IAM David Bantz" <users-bounces at on behalf of dabantz at> wrote:
>    What would trigger a Shibboleth SP to request validation or re-authentication for some users (but not others)?

The same sorts of things, networks, clients, millions of other details. You can't know why an SP does anything unless you run it or have its logs.

>    How is the IdP getting the load balancer IP address as “client address”? - Does the SP request include what it thinks is
>the client IP address, or is the IdP not getting the correct x-Forwarded-For header on this request, even though it did so on
> the initial request that established the SSO session?

The latter. You have a broken LB.

-- Scott

More information about the users mailing list