...
IdP sessions are by default bound to an "address" in order to prevent trivial session takeover simply through session cookie exposure. This can be disabled via the Idp.session.consistentAddress property or relaxed in various ways through the idp.session.consistententAddressConditionconsistentAddressCondition extension point. It is deeply ill-advised to simply disable this checking entirely and it deeply unsafe to operate networks that hide a plethora of clients behind a single address.
...