Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1730
Views
5
Helpful
3
Replies

ISE SAML Shibboleth and client IP address checks, can I turn it off?

Richard Wakefield
Level 1
Level 1

‎07-30-2018 11:37 AM - edited ‎03-11-2019 01:47 AM

Team,

 

We have a situation where a SAML/Shibboleth server was moved to AWS, while ISE is still on the internal network. This has caused a situation where ISE is rejecting the authentication of some clients based on the way they connect to the network, because Shibboleth sees a different IP address for the client than ISE does. 

 

Is there a way to turn this IP check off in ISE?

 

 

2018-07-30 10:29:09,246 DEBUG [http-bio-172.16.253.240-8448-exec-3][] cpm.saml.framework.impl.SAMLFacadeImpl -::::- AuthenticatePortalUser - Session:null IDPResponse:
IdP ID: SAMLConfig
SAML Status Code:urn:oasis:names:tc:SAML:2.0:status:Success
SAML Success:false
SAML Status Message:null
SAML email:
SAML Exception:Subject Confirmation Data address 150.135.165.24 does match client address 150.135.112.40

0 Helpful
3 Replies 3

hslai
Cisco Employee
Cisco Employee

‎07-30-2018 01:41 PM

From my understanding, the saml2:SubjectConfirmationData in a SAML response from the IdP should be validated by the service provider. I do not think ISE has an option for this while ISE portals has tested OK with cloud-based IdPs, such as Azure AD, PingOne, and Okta.

From Exception when interworking between Shibboleth IDP and Geneva Beta 2, it seems ADFS 2.0 did ignore the IP address as no one able to make Shibboleth stop sending the IP address in the SubjectConfirmationData. Thus, you might consider to ask for an enhancement in ISE.

I will check with our engineering and update.

Meanwhile, I guess you would have to find a way to make the same IP address shown from the client browser to ISE and to Shibboleth. Use other interfaces on ISE, maybe?

Richard Wakefield
Level 1
Level 1
In response to hslai

‎07-30-2018 01:50 PM

>>Use other interfaces on ISE, maybe?

 

The problem is the customer wants to make MyDevices accessible only internally accessible (10.132.X.X) or via VPN (150.135.112.X), but Shibboleth server is now in AWS so all users get NAT'd to 150.135.165.X. The extra ISE interface would have to be on the other side of the NAT and have a public IP, then ACLs FW rules to only let internal users hit it... It might be easier to just keep one Shibboleth on prem for this purpose.

 

The request from the Shibboleth team was to see if ISE could stop doing the IP check, sounds like the answer to that is no... So we can evaluate other options.

 

Thanks.

 

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to Richard Wakefield

‎07-30-2018 02:03 PM

Why not site-to-site VPN to AWS so that Shibboleth acting as if on-prem?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents