Shibboleth Developers

["Scott Cantor" <>]

> Today we noticed that Shibboleth is ipv6 capable, but only partially.
> While it perfectly works when SP and IdP and user have an ipv4 and an
> ipv6 ip, there occur problems when only the IdP and the user are ipv6
> capable. In this case (and probably also when instead the IdP doesn't
> support ipv6), the 'checkAddress="false"' setting of the Sessions
> section in the SP config causes the SP to detect an IP mismatch , which
> is not really surprising.

I think you mean true, not false. I assume so anyway. I don't really know
anything about v6 other than rudimentary stuff, so I don't know what the bug
is or how to fix it. I gather it's something like having to convert the
address formats back and forth and allowing that kind of comparison to
succeed.

> However, this then results in an "IP Address
> Mismatch". Of course, one could disable that security feature, but that
> isn't the best solution I guess :)

In practice, it's not clear who can afford to leave it on anyway. It's less
common, I'd say.

> Provided that ipv6 is spreading more and more, are there any plans to
> make the Shibboleth SP completely ipv6 aware and is that 
> possible at all?

I have no idea since I don't know what the exact problem is. It's not
something I can test either.

-- Scott