Supporting change of IP address during Shibboleth sessions
max.spicer at york.ac.uk
Thu Apr 7 09:33:05 UTC 2022
Thanks for the information, Scott, and apologies for my delayed response.
I wonder, with `Idp.session.consistentAddress = false` will Shibboleth log
when it sees a user change IP? Our test system does not seem to but I may
not have the right logging enabled.
If the code does not do this, would implementing an
idp.session.consistentAddressCondition that logs and always returns true be
a reasonable way to achieve this?
On Tue, 22 Mar 2022 at 12:35, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 3/22/22, 7:35 AM, "users on behalf of Max Spicer via users" <
> users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:
> > I wondered what others have done to mitigate such situations and also if
> anyone could expand further on the
> > risks of disabling consistent address checking entirely if cookies are
> only ever transmitted over SSL.
> Aside from the risks of XSS attacks, the docs reflect my views on the
> relevance of TLS in the face of how CAs operate, but also (in the case of
> the IdP moreso), the fact that people run IdPs with a lot of load balancer
> proxying that undermines the trust it's possible to have in that layer. It
> is largely a reference to the insider attack threat. SAML's deployability
> is balanced by the fact that it makes impersonation of users a lot easier
> than it ought to be, and session affinity confines that risk to the IdP
> operator and not half the networking team.
> -- Scott
Max Spicer - Identity Systems Developer
IT Services, University of York
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users