OAM IP Validation issue
We use cross-domain form login for single-sign-on with OAM. Users are redirected to a site (ex: https://www.examplelogin.com) to log in, and are then redirected back to the requested site (ex: http://www.exampleapp.com).
We have encountered a problem with OAM's IP Validation in that, for a small number of user PCs whose requests are coming from the external Internet, OAM is seeing a different source IP address for the https requests to the examplelogin domain than it is seeing for the http requests to the exampleapp domain. As a result, the user is redirected back to the login domain, which recognizes that the user is already logged in and redirects back, and the user is caught in an infinite redirect loop. If the user is connected to the internal network, either via VPN or a direct connection, everything works fine. The majority of the external users don't have this problem, either.
The IP addresses vary widely, so it's not just a single address that we can add to the IP Validation Exceptions list. We could just disable IP Validation, but we are reluctant to do so since requests to the application domain are not SSL-encrypted.
We're running OAM version 10.1.4.2, with BP04 applied to the WebGate on the login domain but not the WebGate on the application domain.
Does anyone have any ideas on this? Do most people disable IP Validation?
Thanks,
Matthew