Open strehle opened 2 months ago
cf-gitbot
commented
2 months ago We have created an issue in Pivotal Tracker to manage this:
https://www.pivotaltracker.com/story/show/187414837
The labels on this github issue will be updated when the story is started.
strehle
commented
2 months ago @swalchemist @Tallicia FYI
hsinn0
commented
3 weeks ago @strehle, do you have or know cases where UAA is configured with that many external SAML IdPs? I wonder if this issue is actually practical.
strehle
commented
3 weeks ago @strehle, do you have or know cases where UAA is configured with that many external SAML IdPs? I wonder if this issue is actually practical.
it is related to use case, that you have multi-tenant CF and for CF login / management you have links from the tenants into UAA zone. And we have this, not for SAML, but for OIDC. Means with https://github.com/cloudfoundry/uaa/issues/2505 and even now, we have many (> 1000) IdPs in UAA zone. Thus we have this select screen: https://uaa.cf.us10.hana.ondemand.com/ , means account chooser. In account chooser you provide the origin where we have a indexed search. However if the Answer from IdP returns - in both cases SAML and/or OIDC - then the lookup is done from entityID (SAML) or issuer (OIDC) without any indexes. The issue is similar in SAML and OIDC; but in our weekly sync meetings we discussed to have 2 issues for SAML and OIDC.
SAML related issue, details in https://github.com/cloudfoundry/uaa/issues/2821
What version of UAA are you running?
What output do you see from
curl <YOUR_UAA>/info -H'Accept: application/json'?How are you deploying the UAA?
I am deploying the UAA
What did you do?
SAML delegates the lookup from entiyID (external key or the SAML assertion) to spring-security-saml and in UAA there is a cache but if there are many entries there is a memory problem, e.g. https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java#L129 reads all saml providers from DB and resolves then the needed one from SAML message (entityID) Please include UAA logs if available.