Massive authentications from SP GoogleApps
Miguel Salinas Vivancos
msalinas at bcn.sia.es
Tue Sep 3 11:25:27 EDT 2019
Thanks a lot Greg!
So maybe on our application there is one of this vanity URLs to access a Google Application…
I’m going to ask around, maybe another team used one of them.
Regards
Miguel Salinas Vivancos
Identity Management Integrator
Tel.: +34 639 198 154 – mail:msalinas at bcn.sia.es
[cid:image001.png at 01D52CD1.D29CDC20]
Grupo SIA
Citypark, Edificio Atenas, Ctra. Hospitalet 147. 08940 Cornellá de Llobregat – Barcelona
www.sia.es<http://www.sia.es/> - Twitter: @SIA_es - LinkedIn: Grupo SIA
De: users [mailto:users-bounces at shibboleth.net] En nombre de Greg Haverkamp
Enviado el: martes, 3 de septiembre de 2019 17:15
Para: Shib Users
Asunto: Re: Massive authentications from SP GoogleApps
On Tue, Sep 3, 2019 at 7:18 AM Miguel Salinas Vivancos <msalinas at bcn.sia.es<mailto:msalinas at bcn.sia.es>> wrote:
Hi Steve, thank you for your answer.
If the hypothesis is a SAML Response rejected by the SP, then it will only happen with specific Google Applications, right? The rest of users are accessing to Gmail without problems.
I don't know if Google stores the users but it's strange that they check it in just some apps.
We've seen it historically for users who initiate logins at specific vanity URL's (e.g., http://gcal.lbl.gov) that are have CNAME records pointing to Google. It's not all of them; Calendar has historically been the worst. We've never had problems with Gmail. After wasting too much time on it, my solution for users has been, "Don't do that." I probably should have just removed the domain mapping.
AFAIK, it has not happened to users when visiting the direct service URL's.
The assertion is quite simple as we only send the mail attribute.
I've found this link https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml, maybe we can try to lookup the SP logs...
Those logs are for the G Suite IdP, not the SP.
Greg
If we find the answer, we'll post it.
Miguel Salinas Vivancos
Identity Management Integrator
Tel.: +34 639 198 154 - mail:msalinas at bcn.sia.es<mailto:mail%3Amsalinas at bcn.sia.es>
Grupo SIA
Citypark, Edificio Atenas, Ctra. Hospitalet 147. 08940 Cornellá de Llobregat - Barcelona
www.sia.es<http://www.sia.es> - Twitter: @SIA_es - LinkedIn: Grupo SIA
-----Mensaje original-----
De: users [mailto:users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>] En nombre de Losen, Stephen C (scl)
Enviado el: martes, 3 de septiembre de 2019 12:31
Para: Shib Users
Asunto: RE: Massive authentications from SP GoogleApps
Hi Miguel,
I have seen looping like this, but not necessarily involving Google. The user visits the SP, which redirects the user to our IDP for authentication. After success, the IDP redirects the user back to the SP. However, the SP does not accept the credentials (assertion). Perhaps the SP has its own database of users and the SP fails to find the user. Perhaps the assertion for this user is unacceptable for some other reason. The SP should display an error page, but instead lets the user try again. The SP redirects the user back to our IDP for authentication with a new auth request. But this time the user has an IDP session, so the IDP displays no login page and redirects the user back to the SP with another assertion, which the SP rejects. And this sets up a redirect loop.
The IDP is unaware of any problem and the IDP logs show no errors. But the logs do show a large number of normal logins to the same SP by the same user.
Steve Losen
ITS - Enterprise Infrastructure
University of Virginia
mailto:scl at virginia.edu<mailto:scl at virginia.edu> 434-924-0640
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> On Behalf Of Miguel Salinas Vivancos
Sent: Monday, September 2, 2019 1:04 PM
To: users at shibboleth.net<mailto:users at shibboleth.net>
Subject: Massive authentications from SP GoogleApps
Hi,
We are using Shibboleth IDP 3.4.4 over Java 1.8, deployed in a Tomcat 8.5.
We have multiple SPs configured to authenticate against our IDP, including big commercial ones like Amazon, Adobe and Microsoft.
Our problem is that sometimes (maybe once or twice a week), we receive a huge amount of authentications from GoogleApps.
I'm talking over 250 logins in a few seconds when the average for that SP is 5 per minute.
At the logs we have seen that on that peek the user is always the same, and Shibboleth is generating different sessions. On different peeks, the users are different so it doesn't seem a problem of specific users.
This also happened to us with IDP 3.1.2 over Java 1.7 in a Tomcat 7, so the version of the components neither seems to be the problem.
Has anyone faced something similar? Maybe one of the applications of GoogleApps or the OS/device of the users?
Thank you in advance
Miguel Salinas Vivancos
Identity Management Integrator
Tel.: +34 639 198 154 - mail:msalinas at bcn.sia.es<mailto:mail%3Amsalinas at bcn.sia.es>
Grupo SIA
Citypark, Edificio Atenas, Ctra. Hospitalet 147. 08940 Cornellá de Llobregat - Barcelona
http://www.sia.es/ - Twitter: @SIA_es - LinkedIn: Grupo SIA
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190903/6b604c70/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 5341 bytes
Desc: image001.png
URL: <http://shibboleth.net/pipermail/users/attachments/20190903/6b604c70/attachment.png>
More information about the users
mailing list