Consequences of setting checkAddress & consistentAddress to false?
As the title suggests I would like to know the potential consequences of setting checkAddress & consistentAddress to false in the shibboleth2.xml configuration file?
The reason I am asking this is because I am running a proxy/shibboleth setup behind an elastic load balancer where there are multiple virtual load balancers. The ELB DNS has a TTL of 60 seconds, which means you can connect to an application from one virtual load balancers IP and then 60 seconds later be coming from a different virtual load balancers IP.
This is causing the following error messages to appear in the native_warn.log log:
"2016-06-13 15:46:13 WARN Shibboleth.ServiceProvider FastCGI shibauthorizer: error during session lookup: Your IP address (10.x.x.x) does not match the address recorded at the time the session was established.
2016-06-13 15:47:29 WARN Shibboleth.SessionCache FastCGI shibauthorizer: client address mismatch, client (10.x.x.x), session (10.x.x.x)"
This then stops the application from working.
I have captured some TCP dumps and confirmed that the source IP is in fact changing.
I have also tested my setup without the ELB and by binding the URL onto a single IP given out my DNS and I do not see this issue.
This is a little bit out of my area of expertise so I would like to understand exactly what setting these to false is doing, especially from a security POV if this were to server a public facing site?