cloudfoundry/uaa

Fix performance issue with external identity provider lookup [SAML]

strehle opened this issue · 4 comments

SAML related issue, details in #2821

What version of UAA are you running?

What output do you see from curl <YOUR_UAA>/info -H'Accept: application/json'?

How are you deploying the UAA?

I am deploying the UAA

  • locally only using gradlew
  • using a bosh release I downloaded from bosh.io
  • using cf-release
  • using cf-deployment

What did you do?

  1. Add many external SAML IdP to an identity zone ( > 10.000)
  2. Perform a SAML to only one
  3. Check login times / DB metrics / memory

SAML delegates the lookup from entiyID (external key or the SAML assertion) to spring-security-saml and in UAA there is a cache but if there are many entries there is a memory problem, e.g. https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java#L129 reads all saml providers from DB and resolves then the needed one from SAML message (entityID)
Please include UAA logs if available.

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/187414837

The labels on this github issue will be updated when the story is started.

@strehle, do you have or know cases where UAA is configured with that many external SAML IdPs? I wonder if this issue is actually practical.

@strehle, do you have or know cases where UAA is configured with that many external SAML IdPs? I wonder if this issue is actually practical.

it is related to use case, that you have multi-tenant CF and for CF login / management you have links from the tenants into UAA zone. And we have this, not for SAML, but for OIDC. Means with #2505 and even now, we have many (> 1000) IdPs in UAA zone. Thus we have this select screen: https://uaa.cf.us10.hana.ondemand.com/ , means account chooser.
In account chooser you provide the origin where we have a indexed search. However if the Answer from IdP returns - in both cases SAML and/or OIDC - then the lookup is done from entityID (SAML) or issuer (OIDC) without any indexes.
The issue is similar in SAML and OIDC; but in our weekly sync meetings we discussed to have 2 issues for SAML and OIDC.