Massive authentications from SP GoogleApps

Losen, Stephen C (scl) scl at
Tue Sep 3 06:30:38 EDT 2019

Hi Miguel,

I have seen looping like this, but not necessarily involving Google. The user visits the SP, which redirects the user to our IDP for authentication. After success, the IDP redirects the user back to the SP. However, the SP does not accept the credentials (assertion). Perhaps the SP has its own database of users and the SP fails to find the user. Perhaps the assertion for this user is unacceptable for some other reason. The SP should display an error page, but instead lets the user try again. The SP redirects the user back to our IDP for authentication with a new auth request. But this time the user has an IDP session, so the IDP displays no login page and redirects the user back to the SP with another assertion, which the SP rejects. And this sets up a redirect loop.

The IDP is unaware of any problem and the IDP logs show no errors. But the logs do show a large number of normal logins to the same SP by the same user. 

Steve Losen
ITS - Enterprise Infrastructure
University of Virginia
mailto:scl at    434-924-0640

From: users <users-bounces at> On Behalf Of Miguel Salinas Vivancos
Sent: Monday, September 2, 2019 1:04 PM
To: users at
Subject: Massive authentications from SP GoogleApps

We are using Shibboleth IDP 3.4.4 over Java 1.8, deployed in a Tomcat 8.5.
We have multiple SPs configured to authenticate against our IDP, including big commercial ones like Amazon, Adobe and Microsoft.

Our problem is that sometimes (maybe once or twice a week), we receive a huge amount of authentications from GoogleApps.
I'm talking over 250 logins in a few seconds when the average for that SP is 5 per minute. 

At the logs we have seen that on that peek the user is always the same, and Shibboleth is generating different sessions. On different peeks, the users are different so it doesn't seem a problem of specific users.

This also happened to us with IDP 3.1.2 over Java 1.7 in a Tomcat 7, so the version of the components neither seems to be the problem.

Has anyone faced something similar? Maybe one of the applications of GoogleApps or the OS/device of the users?

Thank you in advance

Miguel Salinas Vivancos
Identity Management Integrator 
Tel.: +34 639 198 154 - mail:msalinas at

Grupo SIA
Citypark, Edificio Atenas, Ctra. Hospitalet 147. 08940 Cornellá de Llobregat - Barcelona  - Twitter: @SIA_es  - LinkedIn: Grupo SIA

More information about the users mailing list