Shibboleth Developers

["RL 'Bob' Morgan" <>]

> > So, I would say the only option is to disable the address checking in
> > that situation.

We have a campus-wide "internal network" service, for machines that don't 
want to be on the big bad Internet, and a campus-wide NAT that serves them 
all.  So for one of these machines our IdP sees the internal address, but 
an off-campus SP sees the NAT address.  So we pretty much have to ask all 
our SPs to turn off address checking.  I think this kind of setup is 
unfortunately becoming pretty common.

> So would I. And that's not really uncommon. I think you can make the 
> case that all SSO systems are insecure without address checking, and 
> that unfortunately leads to some bad conclusions.

Well, surely "secure" and "insecure" are matters of threat model and risk 
assessment, non?

The obvious threat scenario that address checking protects against is 
theft of the bearer assertion from the client machine, with the just as 
obvious reply that if the client machine is compromised in such a way that 
things passing through it can be stolen, then the user has pretty much 
lost the game, regardless of protocols techniques.

Were you thinking of another threat scenario?

 - RL "Bob"