Google's browser sync plugin for for firefox (see http://www.google.com/tools/firefox/browsersync/ ) causes problems. When the user requests the apps /login link, the user will get redirected. However the IdP will see the request as coming from Google's IP address. The user with then step through the forward redirects with their norma site IP address and end up coming back to the SP for the POST using that site IP address. This offends shibd and it logs the exception:
"caught exception while retrieving session: Your IP address (66.249.84.68) does not match the address recorded at the time the session was established."
An applicatoin could allow the use of the Google browser sync plugin by setting consistentAddress="false". However this significant security ramifications. A session could easily be highjacked by an attacker and the original user impersonated for other transactions. Instead, users shoul dbe instructed not to use this plugin.