[cas-user] Delegated SAML2 logins create huge tickets

Tue, 20 May 2025 00:29:23 -0700 

Hi,

We enabled a SAML2 integration on our CAS 7 server. The CAS server acts as 
a service provider. For whatever reason, the integration is creating huge 
tickets into the database and eventually producing OutOfMemoryErrors on the 
CAS server. We checked that one of the serialized tickets looks otherwise 
pretty normal except that it has hundreds of megabytes of authnContext with 
just single array list of strings:

""authenticationAttributes"":{""@class"":""java.util.HashMap"",""issuerId"":""***"",""authnContext"":[""java.util.ArrayList"",[""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"",""urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport""...

Our configuration is as follows:

cas.authn.pac4j.saml[0].keystore-password: ***
cas.authn.pac4j.saml[0].private-key-password: ***
cas.authn.pac4j.saml[0].service-provider-entity-id: ***
cas.authn.pac4j.saml[0].metadata.identity-provider-metadata-path: ***
cas.authn.pac4j.saml[0].metadata.service-provider.file-system.location: ***
cas.authn.pac4j.saml[0].keystore-path: ***
cas.authn.pac4j.saml[0].destination-binding: 
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
cas.authn.pac4j.saml[0].logout-response-binding-type: 
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
cas.authn.pac4j.saml[0].client-name: ***
cas.authn.pac4j.saml[0].sign-authn-request: true
cas.authn.pac4j.saml[0].wants-assertions-signed: true
cas.authn.pac4j.saml[0].wants-responses-signed: true
cas.authn.pac4j.saml[0].sign-service-provider-logout-request: true
cas.authn.pac4j.saml[0].use-name-qualifier: false

I haven't been able to figure out why this is happening. Any ideas what 
could be the culprit?

Tomi

-- 
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/abaec734-5c99-42d0-9611-44428a09acb3n%40apereo.org.

Reply via email to