Massive authentications from SP GoogleApps
Losen, Stephen C (scl)
scl at virginia.edu
Tue Sep 3 06:30:38 EDT 2019
I have seen looping like this, but not necessarily involving Google. The user visits the SP, which redirects the user to our IDP for authentication. After success, the IDP redirects the user back to the SP. However, the SP does not accept the credentials (assertion). Perhaps the SP has its own database of users and the SP fails to find the user. Perhaps the assertion for this user is unacceptable for some other reason. The SP should display an error page, but instead lets the user try again. The SP redirects the user back to our IDP for authentication with a new auth request. But this time the user has an IDP session, so the IDP displays no login page and redirects the user back to the SP with another assertion, which the SP rejects. And this sets up a redirect loop.
The IDP is unaware of any problem and the IDP logs show no errors. But the logs do show a large number of normal logins to the same SP by the same user.
ITS - Enterprise Infrastructure
University of Virginia
mailto:scl at virginia.edu 434-924-0640
From: users <users-bounces at shibboleth.net> On Behalf Of Miguel Salinas Vivancos
Sent: Monday, September 2, 2019 1:04 PM
To: users at shibboleth.net
Subject: Massive authentications from SP GoogleApps
We are using Shibboleth IDP 3.4.4 over Java 1.8, deployed in a Tomcat 8.5.
We have multiple SPs configured to authenticate against our IDP, including big commercial ones like Amazon, Adobe and Microsoft.
Our problem is that sometimes (maybe once or twice a week), we receive a huge amount of authentications from GoogleApps.
I'm talking over 250 logins in a few seconds when the average for that SP is 5 per minute.
At the logs we have seen that on that peek the user is always the same, and Shibboleth is generating different sessions. On different peeks, the users are different so it doesn't seem a problem of specific users.
This also happened to us with IDP 3.1.2 over Java 1.7 in a Tomcat 7, so the version of the components neither seems to be the problem.
Has anyone faced something similar? Maybe one of the applications of GoogleApps or the OS/device of the users?
Thank you in advance
Miguel Salinas Vivancos
Identity Management Integrator
Tel.: +34 639 198 154 - mail:msalinas at bcn.sia.es
Citypark, Edificio Atenas, Ctra. Hospitalet 147. 08940 Cornellá de Llobregat - Barcelona
http://www.sia.es/ - Twitter: @SIA_es - LinkedIn: Grupo SIA
More information about the users