WSS SAML SP generating too many requests into SAML IDP server
search cancel

WSS SAML SP generating too many requests into SAML IDP server


Article ID: 231517


Updated On:


Cloud Secure Web Gateway - Cloud SWG


IPSEC access method into WSS

SAML authentication enabled for users with IP surrogates

Despite having under 100k users authenticating daily with an IP surrogate timeout of 8 hours, the SAML IDP server is seeing millions of requests from the WSS SAML SP

No users are impacted with this behaviour

How can we reduce the number of SAML AuthnRequests into the SAML IDP server users are authenticating with


IPSEC or Transproxy access methods

IP Surrogates


Web Applications continuously generating REST calls into WSS without being able to follow redirects

Web Applications cannot handle javascript that could include the SAML assertion

The end result is that the Web applications keep generating requests to back end services, without completing the authentication. This will happen over and over and can potentially trigger huge volumes of REST calls, all triggering redirects to the SAML IDP server, out of hours when the users authenticated session has expired. 


A detailed analysis must be done of the Applications that are triggering the SAML redirects to the IDP server. By going to the Report center and executing the 'Run simple report' option with Other -> Verdict -> authentication_redirect_off_box, you will get a list of all domains / IP addresses / User-Agents that are triggering these redirects, and put yourself into a position to determine next steps.

In most cases, the domains are likely to be REST endpoints and two main options are available to help address the situation and reduce the number of calls. More importantly, these REST calls are being generated by Web Applications after the users session has expired and the user is therefor no longer logged in.

1. Whitelist the domain from authentication: by adding the domain into the Authentication bypass list, users accessing these endpoints will not redirected to authenticate and the SAML redirections will no longer be seen. In most cases, these REST endpoints require authenticated calls already. The downside however if that we cannot determine which user generates the requests (we can get IP address and work our way backwards).

2. Create a rule blocking access to these domains from unauthenticated users. Only when the user comes back online will the user access Web sites via the browser, or Applications like O365 that can redirect users to the IDP server to complete the authentication process. When this happens, the REST calls will continue to work normally. 


Other options can also exist including launching a script that puts the host to sleep when user leaves office and is idle for a period of time; you could do this with a screensaver action and force a login when the user unlocks their screen later on.