Consequences of setting checkAddress & consistentAddress to false?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Consequences of setting checkAddress & consistentAddress to false?


As the title suggests I would like to know the potential consequences of setting checkAddress & consistentAddress to false in the shibboleth2.xml configuration file?

The reason I am asking this is because I am running a proxy/shibboleth setup behind an elastic load balancer where there are multiple virtual load balancers. The ELB DNS has a TTL of 60 seconds, which means you can connect to an application from one virtual load balancers IP and then 60 seconds later be coming from a different virtual load balancers IP.

This is causing the following error messages to appear in the native_warn.log log:
"2016-06-13 15:46:13 WARN Shibboleth.ServiceProvider FastCGI shibauthorizer: error during session lookup: Your IP address (10.x.x.x) does not match the address recorded at the time the session was established.
2016-06-13 15:47:29 WARN Shibboleth.SessionCache FastCGI shibauthorizer: client address mismatch, client (10.x.x.x), session (10.x.x.x)"

This then stops the application from working.

I have captured some TCP dumps and confirmed that the source IP is in fact changing.

I have also tested my setup without the ELB and by binding the URL onto a single IP given out my DNS and I do not see this issue.

This is a little bit out of my area of expertise so I would like to understand exactly what setting these to false is doing, especially from a security POV if this were to server a public facing site?