Massive authentications from SP GoogleApps
Miguel Salinas Vivancos
msalinas at bcn.sia.es
Tue Sep 3 10:18:05 EDT 2019
Hi Steve, thank you for your answer.
If the hypothesis is a SAML Response rejected by the SP, then it will only happen with specific Google Applications, right? The rest of users are accessing to Gmail without problems.
I don't know if Google stores the users but it's strange that they check it in just some apps.
The assertion is quite simple as we only send the mail attribute.
I've found this link https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml, maybe we can try to lookup the SP logs...
If we find the answer, we'll post it.
Miguel Salinas Vivancos
Identity Management Integrator
Tel.: +34 639 198 154 - mail:msalinas at bcn.sia.es
Grupo SIA
Citypark, Edificio Atenas, Ctra. Hospitalet 147. 08940 Cornellá de Llobregat - Barcelona
www.sia.es - Twitter: @SIA_es - LinkedIn: Grupo SIA
-----Mensaje original-----
De: users [mailto:users-bounces at shibboleth.net] En nombre de Losen, Stephen C (scl)
Enviado el: martes, 3 de septiembre de 2019 12:31
Para: Shib Users
Asunto: RE: Massive authentications from SP GoogleApps
Hi Miguel,
I have seen looping like this, but not necessarily involving Google. The user visits the SP, which redirects the user to our IDP for authentication. After success, the IDP redirects the user back to the SP. However, the SP does not accept the credentials (assertion). Perhaps the SP has its own database of users and the SP fails to find the user. Perhaps the assertion for this user is unacceptable for some other reason. The SP should display an error page, but instead lets the user try again. The SP redirects the user back to our IDP for authentication with a new auth request. But this time the user has an IDP session, so the IDP displays no login page and redirects the user back to the SP with another assertion, which the SP rejects. And this sets up a redirect loop.
The IDP is unaware of any problem and the IDP logs show no errors. But the logs do show a large number of normal logins to the same SP by the same user.
Steve Losen
ITS - Enterprise Infrastructure
University of Virginia
mailto:scl at virginia.edu 434-924-0640
From: users <users-bounces at shibboleth.net> On Behalf Of Miguel Salinas Vivancos
Sent: Monday, September 2, 2019 1:04 PM
To: users at shibboleth.net
Subject: Massive authentications from SP GoogleApps
Hi,
We are using Shibboleth IDP 3.4.4 over Java 1.8, deployed in a Tomcat 8.5.
We have multiple SPs configured to authenticate against our IDP, including big commercial ones like Amazon, Adobe and Microsoft.
Our problem is that sometimes (maybe once or twice a week), we receive a huge amount of authentications from GoogleApps.
I'm talking over 250 logins in a few seconds when the average for that SP is 5 per minute.
At the logs we have seen that on that peek the user is always the same, and Shibboleth is generating different sessions. On different peeks, the users are different so it doesn't seem a problem of specific users.
This also happened to us with IDP 3.1.2 over Java 1.7 in a Tomcat 7, so the version of the components neither seems to be the problem.
Has anyone faced something similar? Maybe one of the applications of GoogleApps or the OS/device of the users?
Thank you in advance
Miguel Salinas Vivancos
Identity Management Integrator
Tel.: +34 639 198 154 - mail:msalinas at bcn.sia.es
Grupo SIA
Citypark, Edificio Atenas, Ctra. Hospitalet 147. 08940 Cornellá de Llobregat - Barcelona
http://www.sia.es/ - Twitter: @SIA_es - LinkedIn: Grupo SIA
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list