Fix performance issue with external identity provider lookup [SAML] #2825
Comments
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/187414837 The labels on this github issue will be updated when the story is started. |
|
@strehle, do you have or know cases where UAA is configured with that many external SAML IdPs? I wonder if this issue is actually practical. |
it is related to use case, that you have multi-tenant CF and for CF login / management you have links from the tenants into UAA zone. And we have this, not for SAML, but for OIDC. Means with #2505 and even now, we have many (> 1000) IdPs in UAA zone. Thus we have this select screen: https://uaa.cf.us10.hana.ondemand.com/ , means account chooser. |
SAML related issue, details in #2821
What version of UAA are you running?
What output do you see from
curl <YOUR_UAA>/info -H'Accept: application/json'?How are you deploying the UAA?
I am deploying the UAA
What did you do?
SAML delegates the lookup from entiyID (external key or the SAML assertion) to spring-security-saml and in UAA there is a cache but if there are many entries there is a memory problem, e.g. https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java#L129 reads all saml providers from DB and resolves then the needed one from SAML message (entityID)
Please include UAA logs if available.
The text was updated successfully, but these errors were encountered: