MIT Touchstone browser requirements and issues:

  • The browser must support SSL.
  • The browser must support POST operations and redirections.
  • The browser must support Javascript.
  • The browser must support cookies.

Google's browser sync plugin for for firefox (see http://www.google.com/tools/firefox/browsersync/ ) causes problems. When the user requests the apps /login link, the user will get redirected. However the IdP will see the request as coming from Google's IP address. The user with then step through the forward redirects with their norma site IP address and end up coming back to the SP for the POST using that site IP address. This offends shibd and it logs the exception:

"caught exception while retrieving session: Your IP address (66.249.84.68) does not match the address recorded at the time the session was established." 

An applicatoin could allow the use of the Google browser sync plugin by setting consistentAddress="false". However this significant security ramifications. A session could easily be highjacked by an attacker and the original user impersonated for other transactions. Instead, users shoul dbe instructed not to use this plugin.

  • No labels