Security considerations on consistentAddress up to date?

Nate Klingenstein ndk at
Wed Jan 20 13:16:56 UTC 2021

> (checkAddress is the same idea, but more strict, so that the client has to have the same IP at both the IdP and the SP).  So, this is the best setting available in a general Shibboleth environment for binding the assertion and resulting session to the client.

Note that checkAddress does not assume and is not the same as consistentAddress, as it only applies to the initial SAML assertion's acceptance, and not the subsequent Shibboleth session checking afterwards.  You may find setting both to false or setting checkAddress to true and consistentAddress to false, given that subsequent access is much more frequent than initial login, to be the optional tradeoff in your environment.

More information about the users mailing list