Security considerations on consistentAddress up to date?

Wed Jan 20 11:32:19 UTC 2021

Marco,

I'm not aware of any other form of binding of the SAML assertion, which is typically a bearer token, to the client, beyond IP addresses.  That makes it prone to being stolen and played by third parties.  consistentAddress is the closest thing we have to protection in widespread implementation that is really feasible, as it at least ensures that subsequent access using the same Shibboleth session comes from the same IP address -- but that's what's breaking things for you here.  (checkAddress is the same idea, but more strict, so that the client has to have the same IP at both the IdP and the SP).  So, this is the best setting available in a general Shibboleth environment for binding the assertion and resulting session to the client.

In theory, there is a number of other ways you could bind the SAML assertion to the client in a more elegant way.  The SAML Holder-of-Key Profile is probably the best, but it also involves the most work and modification to the client and the SP [1].  This links the assertion to the client through asymmetric cryptography, and preferably extended to any ensuing cookie-based sessions, which is a very strong binding, but it is fairly intrusive in its implementation and deployment requirements.  We thought about channel bindings more generally as well [2]..  I don't know how much, if any, of this ever found its way into the Shibboleth code base or extensions.

I'd say all the security considerations are definitely still relevant, and possibly more so today than ever before, unless you trust today's CA's more than you trusted those of previous generations.  That's a judgment call and I think most people would say they have lapsed over time.

So, you're left with the alternatives of moving to one of the more secure channel/assertion bindings and really securing the assertion to the client, which may involve substantial development work, or turning off consistentAddress, which would decrease the security of the SP to client interactions meaningfully [3].

[1] https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso.html
[2] https://docs.oasis-open.org/security/saml/Post2.0/saml-channel-binding-ext/v1.0/saml-channel-binding-ext-v1.0.html
[3] https://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf

Ready to get posterized by Scott,
Nate.

--------
Signet, Inc.
The Art of Access ®

https://www.signet.id

-----Original message-----
From: Marco Lechner
Sent: Wednesday, January 20 2021, 1:04 am
To: users at shibboleth.net
Subject: Security considerations on consistentAddress up to date?

Hallo,

we do have problems with one important customer facing invalidation of Shibboleth sessions all the time. It pointed out that it might be a similar problem like already being discussed on this list in 2013 [1]. Are the security considerations
 about setting consistentAddress=“false“ still up to date? Or have there been any new aspects, improvements since mobile devices (that might change their IP/Provider quite often) became more significant?

Best reghards

Marco Lechner

[1] https://shibboleth.1660669.n2.nabble.com/IP-address-mismatch-issues-td7586969.html

--

i.A. Dr. Marco Lechner

Leiter Fachgebiet RN 1 │ Head RN 1

Bundesamt für Strahlenschutz │ Federal Office for Radiation Protection

Koordination Notfallschutzsysteme │ Coordination Emergency Systems │ RN 1

Rosastr. 9

D-79098 Freiburg

Tel.: +49 30 18333-6724

E-Mail: 
mlechner at bfs.de <mailto:mlechner at bfs.de>

www.bfs.de <http://www.bfs.de>

Abonnieren Sie den BfS-Newsletter
„StrahlenschutzAktuell“ <http://www.bfs.de/strahlenschutzaktuell>

Folgen Sie uns auf 
Twitter <https://twitter.com/strahlenschutz>

Informationen zum Datenschutz gemäß Artikel 13 DSGVO finden Sie unter:
http://www.bfs.de/datenschutz <http://www.bfs.de/datenschutz>

--

Hinweis zu Anhängen die auf .p7m/.p7c/.p7s oder .asc/.asc.sig enden:

Die .p7?- und .asc-Dateien sind ungefährliche Signaturdateien (digitale Unterschriften). In E-Mail-Clients mit S/MIME Konfiguration (.p7?) oder PGP-Erweiterung (.asc) dienen sie zur:

- Überprüfung des Absenders

- Überprüfung einer evtl. Veränderung des Inhalts während der Übermittlung über das Internet

Die Signaturdateien können ebenso dazu verwendet werden dem Absender dieser Signatur eine E-Mail mit verschlüsseltem Inhalt zu senden. In E-Mail-Clients ohne S/MIME Konfiguration oder PGP-Erweiterung erscheinen die Dateien als Anhang und können ignoriert werden.

--

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg

To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net