Fix performance issue with external identity provider lookup [SAML]
strehle opened this issue · comments
SAML related issue, details in #2821
What version of UAA are you running?
What output do you see from curl <YOUR_UAA>/info -H'Accept: application/json'?
How are you deploying the UAA?
I am deploying the UAA
- locally only using gradlew
- using a bosh release I downloaded from bosh.io
- using cf-release
- using cf-deployment
What did you do?
- Add many external SAML IdP to an identity zone ( > 10.000)
- Perform a SAML to only one
- Check login times / DB metrics / memory
SAML delegates the lookup from entiyID (external key or the SAML assertion) to spring-security-saml and in UAA there is a cache but if there are many entries there is a memory problem, e.g. https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java#L129 reads all saml providers from DB and resolves then the needed one from SAML message (entityID)
Please include UAA logs if available.
We have created an issue in Pivotal Tracker to manage this:
https://www.pivotaltracker.com/story/show/187414837
The labels on this github issue will be updated when the story is started.