WSS SAML SP generating too many requests into SAML IDP server
search cancel

WSS SAML SP generating too many requests into SAML IDP server


Article ID: 231517


Updated On:


Cloud Secure Web Gateway - Cloud SWG


IPSEC access method into WSS

SAML authentication enabled for users with IP surrogates

Despite having under 100k users authenticating daily with an IP surrogate timeout of 8 hours, the SAML IDP server is seeing millions of requests from the WSS SAML SP

No users are impacted with this behaviour

How can we reduce the number of SAML AuthnRequests into the SAML IDP server users are authenticating with


IPSEC or Transproxy access methods

IP Surrogates


Web Applications continuously generating REST calls into WSS without being able to follow redirects

Web Applications cannot handle javascript that could include the SAML assertion

The end result is that the Web applications keep generating requests to back end services, without completing the authentication. This will happen over and over and can potentially trigger huge volumes of REST calls, all triggering redirects to the SAML IDP server, out of hours when the users authenticated session has expired. 


A detailed analysis must be done of the Applications that are triggering the SAML redirects to the IDP server.

Go to Report Center in the Cloud SWG Portal and execute the 'Run simple report' option with Other -> Verdict -> authentication_redirect_off_box.

You will get a list of all domains / IP addresses / User-Agents that are triggering these redirects, and put yourself into a position to determine the next steps.

In most cases, the domains are likely to be REST endpoints and two main options are available to help address the situation and reduce the number of calls.

More importantly, these REST calls are being generated by Web Applications after the user's session has expired and the user is therefore no longer logged in.

  1. Whitelist the domain(s) from authentication

    Adding the domain to the Authentication bypass list, users accessing these endpoints will not redirected to authenticate and the SAML redirections will no longer be seen. In most cases, these REST endpoints require authenticated calls already. The downside however is that we cannot determine which user generates the requests (we can get the IP address and work our way backwards).

  2. Create a rule blocking access to these domain(s) from unauthenticated users.

    The user will only access websites via the browser or applications like O365, which can redirect users to the IDP server for authentication, upon returning online. During this process, REST calls will continue functioning as usual

Alternatively, other options may be considered, such as initiating a script to put the host to sleep when the user is idle for a period after leaving the office. This action could be triggered by a screensaver and require a login when the user unlocks their screen subsequently.