This document provides instructions for configuring a website or web application that uses the Internet2 Shibboleth Service Provider software to authenticate via SAML2, to ensure it works correctly when the website/app is behind Cloudflare.
A website can be configured to authenticate using SAML2 or OIDC using various other software that talks to the university's Shibboleth Identity Provider (shibboleth.umich.edu and/or weblogin.umich.edu), for example, the WordPress plugin "WP SAML Auth" or the Drupal module "openid_connect". In these cases, the instructions below do not apply.
When a website is behind Cloudflare, it will receive traffic from multiple IP addresses in multiple data centers around the world. Traffic for a single visitor may come from multiple IP addresses, even for resources being requested as a part of loading a single web page. Also, when a particular user authenticates, the authentication flow may be initiated from one Cloudflare IP address but completed on a different one, even though the IP address the user's browser is using has not changed.
If your web server is running the Internet2 Shibboleth implementation of the SAML2 Service Provider
- Edit the file /etc/shibboleth/shibboleth2.xml
- Inside the <ApplicationDefaults> element, find the element named <Sessions>.
- Make sure that the <Sessions> element has both of the following attributes:
- checkAddress=“false”
- consistentAddress=“false”
- If you changed the file shibboleth2.xml
- Save the changes
- Stop the web server process
- Stop the shibd process
- Wait 10 seconds to be safe
- Start the shibd process
- Start the web server process
Here is an example of what the <Sessions> element opening tag might look like after making these changes. Please note that the other attributes of the element may need to be different on your web server, and your web server may need additional attributes that are not shown here.
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" consistentAddress="false"
handlerSSL="true" cookieProps="https" redirectLimit="exact">
For details, refer to the Shibboleth SP documentation for information on checkAddress and consistentAddress.
For assistance or questions, contact [email protected].
