Shibboleth Developers

["Spencer W. Thomas" <>]

Maybe I'm wrong, but I don't think you need ipv6 for this sort of
problem to arise.  Almost any AOL user will appear to be coming from
multiple IP addresses, as AOL distributes load across its proxy
servers.  I'm not sure of the granularity of the distribution, but I
know that we have seen AOL users switch IPs in the middle of a
"session", as AOL moves their traffic from one proxy to another.  I
could see this happening especially when the traffic is to multiple
servers.  I can't guarantee that it'll be a problem, but it certainly
might be. 

=Spencer

Lukas Haemmerle wrote:

>What then happens is (User = User's web browser):
>1. Users connects to SP using ipv4 ip
>2. SP redirects to IdP (or WAYF and then to IdP, but WAYF can be ignored
>in this situation)
>3. User connects to IdP using ipv6 ip
>4. User authenticates at IdP and gets handle. Handle contains ipv6 IP in
>element "SubjectLocality"
>5. User gets redirected to SP
>6. User connects to SP using ipv4 ip
>7. SP checks handle and throws an error because the ipv6 IP in the
>handle is not the same as the ipv4 IP that was used to connect to the SP
>
>  
>