-
Notifications
You must be signed in to change notification settings - Fork 826
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix performance issue with external identity provider lookup [SAML] #2825
Comments
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/187414837 The labels on this github issue will be updated when the story is started. |
@strehle, do you have or know cases where UAA is configured with that many external SAML IdPs? I wonder if this issue is actually practical. |
it is related to use case, that you have multi-tenant CF and for CF login / management you have links from the tenants into UAA zone. And we have this, not for SAML, but for OIDC. Means with #2505 and even now, we have many (> 1000) IdPs in UAA zone. Thus we have this select screen: https://uaa.cf.us10.hana.ondemand.com/ , means account chooser. |
SAML related issue, details in #2821
What version of UAA are you running?
What output do you see from
curl <YOUR_UAA>/info -H'Accept: application/json'
?How are you deploying the UAA?
I am deploying the UAA
What did you do?
SAML delegates the lookup from entiyID (external key or the SAML assertion) to spring-security-saml and in UAA there is a cache but if there are many entries there is a memory problem, e.g. https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java#L129 reads all saml providers from DB and resolves then the needed one from SAML message (entityID)
Please include UAA logs if available.
The text was updated successfully, but these errors were encountered: