Client ip when using simplesamlphp

tbi · March 12, 2017, 1:22pm

Hi all

I am using privacyIDEA together with simplesamlphp. Both is installed at
the same machine.

Now I have the problem, when a system is using SAML 2.0 to authenticate
against simplesamlphp, I can never see the client ip in the audit log. I
always see 127.0.0.1 as client ip.

This means, I cannot assign any policies to a specific client.

As I can see in the code of the simplesaml plugin, this should not happen:

/**

privacyidea authentication module.* 2017-02-13 Cornelius Kölbel cornelius.koelbel@netknights.it

       Forward the client IP to privacyIDEA

Since the change is quite new, I am not sure if this feature is implemented
correctly yet. Does this work for anyone?

Best regards
Tobias

Jochen_Hein · March 13, 2017, 4:11am

Hi Tobias,

tbi tbalschun@gmail.com writes:

Now I have the problem, when a system is using SAML 2.0 to authenticate
against simplesamlphp, I can never see the client ip in the audit log. I
always see 127.0.0.1 as client ip.

Did you add a configuration which clients are allowed to overwrite the
client IP? See Configuration → System Configuration and
http://privacyidea.readthedocs.io/en/latest/configuration/system_config.html#override-authorization-client
for details.

Jochen–
This space is intentionally left blank.

Jochen_Hein · March 13, 2017, 4:23pm

tbi tbalschun@gmail.com writes:

Hi Jochen

Oh no, I wasn’t aware that this is necessary. Thanks for the tip.

If I remember correctly, /var/log/privacyidea/privacyidea.log should
have messages that the client is not allowed to overwrite the IP.

Did you have such messages?

Jochen–
This space is intentionally left blank.

tbi · March 13, 2017, 6:27am

Hi Jochen

Oh no, I wasn’t aware that this is necessary. Thanks for the tip.

Regards TobiasOn Monday, March 13, 2017 at 5:11:11 AM UTC+1, Jochen Hein wrote:

Hi Tobias,

tbi <tbal...@gmail.com <javascript:>> writes:

Now I have the problem, when a system is using SAML 2.0 to authenticate
against simplesamlphp, I can never see the client ip in the audit log. I
always see 127.0.0.1 as client ip.

Did you add a configuration which clients are allowed to overwrite the
client IP? See Configuration → System Configuration and

5.3. System Config — privacyIDEA 3.8 documentation
for details.

Jochen

–
This space is intentionally left blank.