Massive authentications from SP GoogleApps
cantor.2 at osu.edu
Tue Sep 3 10:40:18 EDT 2019
All it takes is a broken client. There is no way to avoid looping, they happen all the time with all services. The IdP could implement some kind of throttling, but it's a fine line and a lot of potential hassle to deal with if you have to respond to an incorrectly blocked client and "unblock" it, and most people don't want to oversee things at that level of detail.
It could also be handled in a lot of other ways at lower layers like the web server itself and that's probably more appropriate.
More information about the users