Skip to Content.
Sympa Menu

shibboleth-dev - Re: IP addresses and WAYF

Subject: Shibboleth Developers

List archive

Re: IP addresses and WAYF


Chronological Thread 
  • From: Chad La Joie <>
  • To: Shibboleth Development <>
  • Subject: Re: IP addresses and WAYF
  • Date: Mon, 11 Jul 2005 07:00:09 -0400
  • Organization: UIS - Project Sentinel
I don't think the technical questions are all that trivial. I know I've
sat at other universities before and accessed stuff here at my home
organization. If I were accessing stuff via Shib and the WAYF kept
directing me the other university's log in page I'd be stuck.

As far as the ethical question, I don't see an issue with this. Your IP
address is public data, you can't get away from giving it out. Even if
you have a NAT you're still showing SOME IP.

One thing that I've wondered about is a bit of logic in the WAYF that
would resolve your IP, pull out the domain, and try to find an entry in
the metadata file and then preselect it in the drop down list, if you
can find it.

Not sure if this would work (I haven't though very hard on it), but it
seems like it might and it still allows travelers the ability to use the
WAYF as they normally would.

Alistair Young wrote:
> We've been having a wee think here about bypassing the WAYF, if
> possible, using IP matching. The idea is an SP takes the IP address
> from the HTTP headers and does a lookup to see if it can decide
> automatically where the IdP is.
>
> Well, realistically, the SP will forward the IP address to the WAYF
> which will do the lookup and forward the SAML Request to the matched
> IdP, thus bypassing a potentially massive list of IdPs.
>
> The philosophical question raised though, is this behaviour ethical
> within a Shibboleth environment? In my case, my IP address can be used
> to identify me as it's unique, e.g. it's one of my attributes. An
> attribute over which I have no control as it's not in any IdP ARP. The
> SP would just take it without my knowledge/agreement.
>
> It would be less intrusive if the IP was a NAT but the ethical question
> is still there.
>
> It's an easy way of scaling down the WAYF a bit but subject to the
> usual (IP may not be available, internet cafe won't work etc). These
> technical qestions are trivial.
>
> What I'm really interested in is peoples' views on gathering non ARP
> regulated attributes such as IP address.
>
> ta,
> Alistair
>

--
Chad La Joie 315Q St. Mary's Hall
Project Sentinel 202.687.0124

Archive powered by MHonArc 2.6.16.

Top of Page