Supporting change of IP address during Shibboleth sessions

Max Spicer max.spicer at
Thu Apr 7 09:33:05 UTC 2022

Thanks for the information, Scott, and apologies for my delayed response.

I wonder, with `Idp.session.consistentAddress = false` will Shibboleth log
when it sees a user change IP? Our test system does not seem to but I may
not have the right logging enabled.

If the code does not do this, would implementing an
idp.session.consistentAddressCondition that logs and always returns true be
a reasonable way to achieve this?


Max Spicer

On Tue, 22 Mar 2022 at 12:35, Cantor, Scott <cantor.2 at> wrote:

> On 3/22/22, 7:35 AM, "users on behalf of Max Spicer via users" <
> users-bounces at on behalf of users at> wrote:
> > I wondered what others have done to mitigate such situations and also if
> anyone could expand further on the
> > risks of disabling consistent address checking entirely if cookies are
> only ever transmitted over SSL.
> Aside from the risks of XSS attacks, the docs reflect my views on the
> relevance of TLS in the face of how CAs operate, but also (in the case of
> the IdP moreso), the fact that people run IdPs with a lot of load balancer
> proxying that undermines the trust it's possible to have in that layer. It
> is largely a reference to the insider attack threat. SAML's deployability
> is balanced by the fact that it makes impersonation of users a lot easier
> than it ought to be, and session affinity confines that risk to the IdP
> operator and not half the networking team.
> -- Scott

Max Spicer - Identity Systems Developer
IT Services, University of York
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list