CONFIGURING SERVICE PROVIDERS TO WORK FOR USERS THAT USE a NETWORK ADDRESS 

TRANSLATION (NAT)

The following settings will affect the ability of Service Provider to function correctly for users in networks that are NATTed.

checkAddress (default is false)

The IdP place the IP address of the user agent that authenticated into the assertions it issues to the SP. When this option is set to ”true”, the SP will check this address against the address of the client presenting an assertion before creating a session. If they match access proceed, if not an error is thrown by the SP.

While this can increases the security of the session but it can also cause problems for users in NATed network.

consistentAddress (default is true)

When true, the SP will remember the IP address used when creating a session and ensure that all subsequent access associated with this session come from the same address. 

Issues

Service Providers that have either one or both of the options set to true may experience intermittent issues with users attempting to access the service from within a network that uses NAT.

This makes it difficult to troubleshoot since the users accepted that there was something wrong and continued to re-authenticating it without logging the incident. 

Resolutions

The AAF recommends that Service Providers set both values to “false”  to  minimise issues related to users in NATed networks.

  • checkAddress = “false”
  • consistentAddress = “false”