Client ip when using simplesamlphp

Hi all

I am using privacyIDEA together with simplesamlphp. Both is installed at
the same machine.

Now I have the problem, when a system is using SAML 2.0 to authenticate
against simplesamlphp, I can never see the client ip in the audit log. I
always see 127.0.0.1 as client ip.

This means, I cannot assign any policies to a specific client.

As I can see in the code of the simplesaml plugin, this should not happen:

/**

Since the change is quite new, I am not sure if this feature is implemented
correctly yet. Does this work for anyone?

Best regards
Tobias

Hi Tobias,

tbi tbalschun@gmail.com writes:

Now I have the problem, when a system is using SAML 2.0 to authenticate
against simplesamlphp, I can never see the client ip in the audit log. I
always see 127.0.0.1 as client ip.

Did you add a configuration which clients are allowed to overwrite the
client IP? See Configuration -> System Configuration and
http://privacyidea.readthedocs.io/en/latest/configuration/system_config.html#override-authorization-client
for details.

Jochen–
This space is intentionally left blank.

tbi tbalschun@gmail.com writes:

Hi Jochen

Oh no, I wasn’t aware that this is necessary. Thanks for the tip.

If I remember correctly, /var/log/privacyidea/privacyidea.log should
have messages that the client is not allowed to overwrite the IP.

Did you have such messages?

Jochen–
This space is intentionally left blank.

Hi Jochen

Oh no, I wasn’t aware that this is necessary. Thanks for the tip.

Regards TobiasOn Monday, March 13, 2017 at 5:11:11 AM UTC+1, Jochen Hein wrote:

Hi Tobias,

tbi <tbal...@gmail.com <javascript:>> writes:

Now I have the problem, when a system is using SAML 2.0 to authenticate
against simplesamlphp, I can never see the client ip in the audit log. I
always see 127.0.0.1 as client ip.

Did you add a configuration which clients are allowed to overwrite the
client IP? See Configuration -> System Configuration and

http://privacyidea.readthedocs.io/en/latest/configuration/system_config.html#override-authorization-client
for details.

Jochen


This space is intentionally left blank.