Sun OpenSSO Enterprise Policy Agent 3.0 User's Guide for Web Agents

Validating Client IP Addresses

This feature can be used to enhance security by preventing the stealing or hijacking of SSO tokens.

By default, the web agent labeled Client IP Validation (Tab: Application, Name: com.sun.identity.agents.config.client.ip.validation.enable) is not enabled.

If you enable this property, client IP address validation is enforced for each incoming request that contains an SSO token. If the IP address from which the request was generated does not match the IP address issued for the SSO token, the request is denied. This is essentially the same as enforcing a deny policy.

This feature should not be used, however, if the client browser uses a web proxy or if a load balancer exists somewhere between the client browser and the agent-protected deployment container. In such cases, the IP address appearing in the request will not reflect the real IP address on which the client browser runs.