Shibboleth Developers

["Scott Cantor" <>]

> What then happens is (User = User's web browser):
> 1. Users connects to SP using ipv4 ip
> 3. User connects to IdP using ipv6 ip
> 6. User connects to SP using ipv4 ip
> 7. SP checks handle and throws an error because the ipv6 IP in the
> handle is not the same as the ipv4 IP that was used to 
> connect to the SP

Ok...but that's not really fixable unless you do some kind of NAT process at
the IdP. I think somebody actually wrote some code to do that, although I
think at the time I was pretty confused about the purpose. I guess I sort of
get it now.

> There wouldn't be a problem if SP or IdP somehow could figure out what
> ipv4 and an ipv6 IP the user has. Unfortunately this is probably not
> easy or not possible at all. The only way I know may work is to do a
> reverse dns lookup to the the hostname of the user and then do a dns
> lookup for ipv4 or ipv6...

Well, if somebody think's that's actually possible, they're welcome to
supply a patch. It's definitely not a priority for me.

> So, I would say the only option is to disable the address checking in
> that situation.

So would I. And that's not really uncommon. I think you can make the case
that all SSO systems are insecure without address checking, and that
unfortunately leads to some bad conclusions.

-- Scott