Delegated SAML2 logins create huge tickets
80 views
Skip to first unread message
Tomi Karlstedt
May 20, 2025, 3:29:08 AM5/20/25
to CAS Community
Hi,
We enabled a SAML2 integration on our CAS 7 server. The CAS server acts as a service provider. For whatever reason, the integration is creating huge tickets into the database and eventually producing OutOfMemoryErrors on the CAS server. We checked that one of the serialized tickets looks otherwise pretty normal except that it has hundreds of megabytes of authnContext with just single array list of strings:
""authenticationAttributes"":{""@class"":""java.util.HashMap"",""issuerId"":""***"",""authnContext"":[""java.util.ArrayList"",[""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport""...
Our configuration is as follows:
cas.authn.pac4j.saml[0].keystore-password: ***
cas.authn.pac4j.saml[0].private-key-password: ***
cas.authn.pac4j.saml[0].service-provider-entity-id: ***
cas.authn.pac4j.saml[0].metadata.identity-provider-metadata-path: ***
cas.authn.pac4j.saml[0].metadata.service-provider.file-system.location: ***
cas.authn.pac4j.saml[0].keystore-path: ***
cas.authn.pac4j.saml[0].destination-binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
cas.authn.pac4j.saml[0].logout-response-binding-type: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
cas.authn.pac4j.saml[0].client-name: ***
cas.authn.pac4j.saml[0].sign-authn-request: true
cas.authn.pac4j.saml[0].wants-assertions-signed: true
cas.authn.pac4j.saml[0].wants-responses-signed: true
cas.authn.pac4j.saml[0].sign-service-provider-logout-request: true
cas.authn.pac4j.saml[0].use-name-qualifier: false
cas.authn.pac4j.saml[0].private-key-password: ***
cas.authn.pac4j.saml[0].service-provider-entity-id: ***
cas.authn.pac4j.saml[0].metadata.identity-provider-metadata-path: ***
cas.authn.pac4j.saml[0].metadata.service-provider.file-system.location: ***
cas.authn.pac4j.saml[0].keystore-path: ***
cas.authn.pac4j.saml[0].destination-binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
cas.authn.pac4j.saml[0].logout-response-binding-type: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
cas.authn.pac4j.saml[0].client-name: ***
cas.authn.pac4j.saml[0].sign-authn-request: true
cas.authn.pac4j.saml[0].wants-assertions-signed: true
cas.authn.pac4j.saml[0].wants-responses-signed: true
cas.authn.pac4j.saml[0].sign-service-provider-logout-request: true
cas.authn.pac4j.saml[0].use-name-qualifier: false
I haven't been able to figure out why this is happening. Any ideas what could be the culprit?
Tomi
Ray Bon
May 20, 2025, 11:39:28 PM5/20/25
to cas-...@apereo.org
Tomi,
Cas can delegate authentication to another SAML IdP. See
https://apereo.github.io/cas/7.2.x/integration/Delegate-Authentication.html
Or are you trying to protect an application (in which case cas server is not the correct tool)?
Pac4j (or another cas client) can be included in the application (if you are building the application); or shibboleth SP can be installed on the web server hosting your application.
Ray
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Tomi Karlstedt <tok...@reaktor.fi>
Sent: May 20, 2025 00:23
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Delegated SAML2 logins create huge tickets
Sent: May 20, 2025 00:23
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Delegated SAML2 logins create huge tickets
|
You don't often get email from tok...@reaktor.fi.
Learn why this is important
|
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/abaec734-5c99-42d0-9611-44428a09acb3n%40apereo.org.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/abaec734-5c99-42d0-9611-44428a09acb3n%40apereo.org.
Tomi Karlstedt
May 21, 2025, 7:25:30 AM5/21/25
to CAS Community, Ray Bon
Hi,
Yes, we have set up authentication delegation to an IDP with the config parameters I described above. The setup "works" i.e. users can authenticate through it but the issue is that the delegated authentications create 300MB tickets in the CAS database and the server then runs out of Java heap space while trying to handle these tickets. The tickets contain almost entirely the above authnContext which just repeats the string "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" for 300MB. I tried to ask why CAS and/or pac4j would do anything like this and what can we do to prevent it creating these huge tickets.
Tomi
Reply all
Reply to author
Forward
0 new messages