Shibboleth Developers

[Lukas Haemmerle <>]

Josh Howlett wrote:
> I'm interested in determining the level of support for IPv6 in
> Shibboleth. I understand that there is IPv4-specific code for validating
> assertions and cookies. Is there much else?

We had a look at that sometime last year. The only issue we encountered
had to do with the checkAddress="true" setting. If this setting was
enabled, you could run into problems when the user used and IPv6 IP to
authenticate at the IdP and an IPv4 IP to access the SP host or vice
versa. In these cases, the IP address in the assertion of course doesn't
match the IP address seen at the SP, which results in an error.

What you have to do to prevent that is to configure the SP with
checkAddress="false" but leave consistentAddress="true" (is default).
This will slightly decrease the security but you won't have problems
with IPv6, Proxies, NAT and so on anymore.

Cheers
Lukas


-- 
-------  SWITCH - The Swiss Education & Research Network  ------
Lukas Haemmerle           Security         http://www.switch.ch/
SWITCH,  Neumuehlequai 6, P.O. Box,  CH-8021 Zurich, Switzerland

 Tel: +41 44 268 15 64  Fax: +41 44 253 98 98