browse
This document provides details on how to rectify when users experience errors authenticating to the GCKey service. Specifically, the document details errors related to a remote IP address mismatch that may occur upon submitting credentials within the GCKey service.
What is Remote IP Mismatch
GCKey integrated with a captcha service provider to enhance its security posture and safeguard end users. One security mechanism that is part of this integration is IP address verification, which mitigates against captcha farms and other abusive traffic. A remote IP mismatch can happen when a captcha service provider receives a different IP address than the IP address the GCKey service sees for that same user. When this happens, the end user will be unable to complete a successful authentication to the service and will see an Invalid Session error page in their browser. Note that the Invalid Session error page may be seen in other instances as well, however these are usually resolved through basic troubleshooting steps, including clearing the browser cache, using a private or incognito browsing window, or switching browsers altogether. If these typical troubleshooting steps do not work, there may be an IP mismatch error occurring.
How Does Remote IP Matching Work
GCKey's integration with the captcha service provider is a 2 step-process:
- First, the user's browser talks directly to the captcha provider via JavaScript. The provider notes the IP address from that request, and returns a token to the user.
- The login submission to GCKey is then performed with the user entering their username and password. With that submission, the token received from the captcha provider is also included. GCKey will pass the token along with the IP address it sees back to the captcha provider for verification.
If the IP addresses in step 1 and step 2 are different, the verification check will result in a fail and the Invalid Session error will be displayed, mentioned previously.
Resolving an IP Mismatch if using Umbrella SWG service
In order to resolve a remote IP mismatch error add the following domains to external domains list
clegc-gckey.gc.ca
hcaptcha.com