IPSEC access method into WSS
SAML authentication enabled for users with IP surrogates
Despite having under 100k users authenticating daily with an IP surrogate timeout of 8 hours, the SAML IDP server is seeing millions of requests from the WSS SAML SP
No users are impacted with this behaviour
How can we reduce the number of SAML AuthnRequests into the SAML IDP server users are authenticating with
IPSEC or Transproxy access methods
IP Surrogates
Web Applications continuously generating REST calls into WSS without being able to follow redirects
Web Applications cannot handle javascript that could include the SAML assertion
The end result is that the Web applications keep generating requests to back end services, without completing the authentication. This will happen over and over and can potentially trigger huge volumes of REST calls, all triggering redirects to the SAML IDP server, out of hours when the users authenticated session has expired.
A detailed analysis must be done of the Applications that are triggering the SAML redirects to the IDP server.
Go to Report Center in the Cloud SWG Portal and execute the 'Run simple report' option with Other -> Verdict -> authentication_redirect_off_box.
You will get a list of all domains / IP addresses / User-Agents that are triggering these redirects, and put yourself into a position to determine the next steps.
In most cases, the domains are likely to be REST endpoints and two main options are available to help address the situation and reduce the number of calls.
More importantly, these REST calls are being generated by Web Applications after the user's session has expired and the user is therefore no longer logged in.
The user will only access websites via the browser or applications like O365, which can redirect users to the IDP server for authentication, upon returning online. During this process, REST calls will continue functioning as usual
Alternatively, other options may be considered, such as initiating a script to put the host to sleep when the user is idle for a period after leaving the office. This action could be triggered by a screensaver and require a login when the user unlocks their screen subsequently.