search

cloudfoundry / uaa

CloudFoundry User Account and Authentication (UAA) Server
Apache License 2.0
1.59k stars 827 forks source link

Fix performance issue with external identity provider lookup [SAML] #2825

Open strehle opened 7 months ago

strehle commented 7 months ago

SAML related issue, details in https://github.com/cloudfoundry/uaa/issues/2821

What version of UAA are you running?

What output do you see from curl <YOUR_UAA>/info -H'Accept: application/json'?

How are you deploying the UAA?

I am deploying the UAA

What did you do?

  1. Add many external SAML IdP to an identity zone ( > 10.000)
  2. Perform a SAML to only one
  3. Check login times / DB metrics / memory

SAML delegates the lookup from entiyID (external key or the SAML assertion) to spring-security-saml and in UAA there is a cache but if there are many entries there is a memory problem, e.g. https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java#L129 reads all saml providers from DB and resolves then the needed one from SAML message (entityID) Please include UAA logs if available.

cf-gitbot commented 7 months ago

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/187414837

The labels on this github issue will be updated when the story is started.

strehle commented 7 months ago

@swalchemist @Tallicia FYI

hsinn0 commented 5 months ago

@strehle, do you have or know cases where UAA is configured with that many external SAML IdPs? I wonder if this issue is actually practical.

strehle commented 4 months ago

@strehle, do you have or know cases where UAA is configured with that many external SAML IdPs? I wonder if this issue is actually practical.

it is related to use case, that you have multi-tenant CF and for CF login / management you have links from the tenants into UAA zone. And we have this, not for SAML, but for OIDC. Means with https://github.com/cloudfoundry/uaa/issues/2505 and even now, we have many (> 1000) IdPs in UAA zone. Thus we have this select screen: https://uaa.cf.us10.hana.ondemand.com/ , means account chooser. In account chooser you provide the origin where we have a indexed search. However if the Answer from IdP returns - in both cases SAML and/or OIDC - then the lookup is done from entityID (SAML) or issuer (OIDC) without any indexes. The issue is similar in SAML and OIDC; but in our weekly sync meetings we discussed to have 2 issues for SAML and OIDC.