Massive authentications from SP GoogleApps

Greg Haverkamp gahaverkamp at lbl.gov
Tue Sep 3 11:14:30 EDT 2019 

On Tue, Sep 3, 2019 at 7:18 AM Miguel Salinas Vivancos <msalinas at bcn.sia.es>
wrote:

> Hi Steve, thank you for your answer.
> If the hypothesis is a SAML Response rejected by the SP, then it will only
> happen with specific Google Applications, right? The rest of users are
> accessing to Gmail without problems.
> I don't know if Google stores the users but it's strange that they check
> it in just some apps.
>

We've seen it historically for users who initiate logins at specific vanity
URL's (e.g., http://gcal.lbl.gov) that are have CNAME records pointing to
Google.  It's not all of them; Calendar has historically been the worst.
We've never had problems with Gmail.  After wasting too much time on it, my
solution for users has been, "Don't do that."  I probably should have just
removed the domain mapping.

AFAIK, it has not happened to users when visiting the direct service URL's.


>
> The assertion is quite simple as we only send the mail attribute.
>
> I've found this link
> https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml,
> maybe we can try to lookup the SP logs...
>

Those logs are for the G Suite IdP, not the SP.


Greg


> If we find the answer, we'll post it.
>
>
> Miguel Salinas Vivancos
> Identity Management Integrator
> Tel.: +34 639 198 154 - mail:msalinas at bcn.sia.es
>
> Grupo SIA
> Citypark, Edificio Atenas, Ctra. Hospitalet 147. 08940 Cornellá de
> Llobregat - Barcelona
> www.sia.es  - Twitter: @SIA_es  - LinkedIn: Grupo SIA
>
>
> -----Mensaje original-----
> De: users [mailto:users-bounces at shibboleth.net] En nombre de Losen,
> Stephen C (scl)
> Enviado el: martes, 3 de septiembre de 2019 12:31
> Para: Shib Users
> Asunto: RE: Massive authentications from SP GoogleApps
>
> Hi Miguel,
>
> I have seen looping like this, but not necessarily involving Google. The
> user visits the SP, which redirects the user to our IDP for authentication.
> After success, the IDP redirects the user back to the SP. However, the SP
> does not accept the credentials (assertion). Perhaps the SP has its own
> database of users and the SP fails to find the user. Perhaps the assertion
> for this user is unacceptable for some other reason. The SP should display
> an error page, but instead lets the user try again. The SP redirects the
> user back to our IDP for authentication with a new auth request. But this
> time the user has an IDP session, so the IDP displays no login page and
> redirects the user back to the SP with another assertion, which the SP
> rejects. And this sets up a redirect loop.
>
> The IDP is unaware of any problem and the IDP logs show no errors. But the
> logs do show a large number of normal logins to the same SP by the same
> user.
>
> Steve Losen
> ITS - Enterprise Infrastructure
> University of Virginia
> mailto:scl at virginia.edu    434-924-0640
>
> From: users <users-bounces at shibboleth.net> On Behalf Of Miguel Salinas
> Vivancos
> Sent: Monday, September 2, 2019 1:04 PM
> To: users at shibboleth.net
> Subject: Massive authentications from SP GoogleApps
>
> Hi,
> We are using Shibboleth IDP 3.4.4 over Java 1.8, deployed in a Tomcat 8.5.
> We have multiple SPs configured to authenticate against our IDP, including
> big commercial ones like Amazon, Adobe and Microsoft.
>
> Our problem is that sometimes (maybe once or twice a week), we receive a
> huge amount of authentications from GoogleApps.
> I'm talking over 250 logins in a few seconds when the average for that SP
> is 5 per minute.
>
> At the logs we have seen that on that peek the user is always the same,
> and Shibboleth is generating different sessions. On different peeks, the
> users are different so it doesn't seem a problem of specific users.
>
> This also happened to us with IDP 3.1.2 over Java 1.7 in a Tomcat 7, so
> the version of the components neither seems to be the problem.
>
> Has anyone faced something similar? Maybe one of the applications of
> GoogleApps or the OS/device of the users?
>
> Thank you in advance
>
>
> Miguel Salinas Vivancos
> Identity Management Integrator
> Tel.: +34 639 198 154 - mail:msalinas at bcn.sia.es
>
> Grupo SIA
> Citypark, Edificio Atenas, Ctra. Hospitalet 147. 08940 Cornellá de
> Llobregat - Barcelona
> http://www.sia.es/  - Twitter: @SIA_es  - LinkedIn: Grupo SIA
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190903/dbbb3871/attachment.html>

More information about the users mailing list