session id and ip address

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

session id and ip address

Bryan K. Walton
We are an SP working with a university who is requesting that the
Shibboleth session IDs for their application not be locked to a client's
IP address.

They say that, in their environment, a user will authenticate with one
IP address, but after authenticaiton, may be bounced to another node
with a different IP.  They are wondering if it is possible to create
session IDs that trust an IP range and/or subnet.

Is this possible with Shibboleth?

Thanks!
Bryan
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: session id and ip address

Cantor, Scott E.
On 5/2/18, 11:47 AM, "users on behalf of Bryan K. Walton" <[hidden email] on behalf of [hidden email]> wrote:

> Is this possible with Shibboleth?

No, checking is either on or off.

I have given some thought to it (more with the IdP in mind) but it isn't terribly obvious how one could express a configuration that would make any sense and I tend to think it's an application responsibility to do something that odd. The SP is complex enough (and then some).

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: session id and ip address

Bryan K. Walton
On Wed, May 02, 2018 at 03:53:04PM +0000, Cantor, Scott wrote:
> On 5/2/18, 11:47 AM, "users on behalf of Bryan K. Walton" <[hidden email] on behalf of [hidden email]> wrote:
>
> > Is this possible with Shibboleth?
>
> No, checking is either on or off.
>
> I have given some thought to it (more with the IdP in mind) but it isn't terribly obvious how one could express a configuration that would make any sense and I tend to think it's an application responsibility to do something that odd. The SP is complex enough (and then some).

Thanks, Scott!

-Bryan
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: session id and ip address

Guillaume Rousse
In reply to this post by Cantor, Scott E.
Le 02/05/2018 à 17:53, Cantor, Scott a écrit :
> On 5/2/18, 11:47 AM, "users on behalf of Bryan K. Walton" <[hidden email] on behalf of [hidden email]> wrote:
>
>> Is this possible with Shibboleth?
>
> No, checking is either on or off.
>
> I have given some thought to it (more with the IdP in mind) but it isn't terribly obvious how one could express a configuration that would make any sense and I tend to think it's an application responsibility to do something that odd. The SP is complex enough (and then some).
I may have misunderstood, but if the adress change only occurs between
authentication stage (ie, on the IdP) and service access (ie, on the
SP), and then stay constant during all the SP session, the
'consistentAddress' parameter may be used to implement such kind of
relaxed check.

Regards.
--
Guillaume Rousse
Pôle SSI

Tel: +33 1 53 94 20 45
www.renater.fr


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: session id and ip address

Bryan K. Walton
On Wed, May 02, 2018 at 06:02:16PM +0200, Guillaume Rousse wrote:
> I may have misunderstood, but if the adress change only occurs between
> authentication stage (ie, on the IdP) and service access (ie, on the SP),
> and then stay constant during all the SP session, the 'consistentAddress'
> parameter may be used to implement such kind of relaxed check.

That DOES sound promising!  Thanks for the suggestion.  We will discuss
with the university and consider testing this.

Thanks!
Bryan
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]