Duke@Work: FatalProfileException Error During Shibboleth Login

Symptoms

Users attempting to access a Shibboleth-protected site (for example, Duke@Work) may receive an error similar to the following:

opensaml::FatalProfileException The system encountered an error at <timestamp> Please include the following message in any email: opensaml::FatalProfileException at (https://exampleURL/Shibboleth.sso/SAML2/POST) Your client's current address (IP address) differs from the one used when you authenticated to your identity provider. To correct this problem, you may need to bypass a proxy server.

Cause

This error occurs when the user's IP address changes during the authentication process.

Shibboleth requires the IP address used during login to remain consistent. If the IP changes, authentication fails as a security precaution.

Common causes include:

1. Multiple active network connections, such as being connected to both wired (Ethernet) and wireless (Wi-Fi) networks at the same time.

2. Internet provider or network routing behavior that sends requests through different IP addresses, such as NAT or proxy-related routing.

In these cases, the IP address seen by Duke@Work may differ from the IP address seen by the Shibboleth Identity Provider.

Solution

Scenario 1: Multiple Active Connections

Disable one network connection:

- If using Ethernet → turn off Wi-Fi

- If using Wi-Fi → unplug Ethernet

Close all browser windows and try again.

Scenario 2: ISP or Network Causing IP Changes

Connect to the Duke VPN.

This ensures a consistent IP address throughout authentication.

Additional Notes

Restarting the browser or computer may help reset network sessions.

Avoid switching networks during login.

If the issue persists, contact the OIT Service Desk at 919-684-2200 for further assistance.

Article number: KB0018219

Valid to: March 26, 2027