By: Vreixo Luis Gonzalez Caneda user 21 Aug 2021 at 7:53 a.m. CDT

3 Responses
Vreixo Luis Gonzalez Caneda gravatar
Hi, We are experimenting very slow access when login from Microsoft login to Gluu using SAML connection. This slow down is exactly always in the first call to Gluu of the flow which is taking over 4s every time. This is making the solution not very user friendly. Our installation is in an standard cloud instance with 16GB of ram and 4 cores (2.5Ghz peak frequence) all running with Docker via pygluu-compose and dedicated to Gluu. 4 redirects are happening, the first one taking always more than 4 seconds, the next two less than 100ms and the last one around 400ms: - https://gluu-scw-docker.pre.whispeak.io/idp/profile/SAML2/POST/SSO - https://gluu-scw-docker.pre.whispeak.io/idp/profile/SAML2/POST/SSO?execution=e1s1 - https://gluu-scw-docker.pre.whispeak.io/idp/Authn/oxAuth?conversation=e1s1 - https://gluu-scw-docker.pre.whispeak.io/oxauth/restv1/authorize?response_type=code&client_id=1101.983bcb72-82da-452a-a7a1-df8586493152&scope=openid+email+user_name&redirect_uri=https%3A%2F%2Fgluu-scw-docker.pre.whispeak.io%2Fidp%2FAuthn%2FoxAuth&state=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdGF0ZSI6IklvUTFJaHFoaGkiLCJjb252ZXJzYXRpb24iOiJlMXMxIn0.&nonce=srourikGTw&issuerId=urn:federation:MicrosoftOnline&entityId=urn:federation:MicrosoftOnline - https://gluu-scw-docker.pre.whispeak.io/oxauth/authorize.htm?scope=openid+email+user_name&response_type=code&redirect_uri=https%3A%2F%2Fgluu-scw-docker.pre.whispeak.io%2Fidp%2FAuthn%2FoxAuth&state=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdGF0ZSI6IklvUTFJaHFoaGkiLCJjb252ZXJzYXRpb24iOiJlMXMxIn0.&nonce=srourikGTw&client_id=1101.983bcb72-82da-452a-a7a1-df8586493152 Regards,

By Aliaksandr Samuseu staff 21 Aug 2021 at 11:41 a.m. CDT

Aliaksandr Samuseu gravatar
Hi. Do you think you could record a full network trace of the flow where the issue happens and share with us as a HAR file? So it will be the first attempt with the huge delay you see, and a few subsequent attempts with no delays, we need both results for comparison, you can put them into a single HAR. You can use steps listed [here](https://www.inflectra.com/support/knowledgebase/kb254.aspx) - please use Firefox for that task, Chrome's HARs are flawed. Also don't forget to set "Persist log" and "Disable cache" checkboxes in the console to save everything, not just the recently loaded page. Before proceeding with this, please also increase verbosity for IDP's logs by editing "Logging level shortcuts" section in `/opt/shibboleth-idp/conf/logback.xml` file inside `oxshibboleth`container like this (preserve the original file to roll-back the changes later): ``` <variable name="idp.loglevel.idp" value="${idp.loglevel.idp:-DEBUG}" /> <variable name="idp.loglevel.ldap" value="${idp.loglevel.ldap:-DEBUG}" /> <variable name="idp.loglevel.messages" value="${idp.loglevel.messages:-DEBUG}" /> <variable name="idp.loglevel.encryption" value="${idp.loglevel.encryption:-INFO}" /> <variable name="idp.loglevel.opensaml" value="${idp.loglevel.opensaml:-DEBUG}" /> <variable name="idp.loglevel.props" value="${idp.loglevel.props:-DEBUG}" /> <variable name="idp.loglevel.httpclient" value="${idp.loglevel.httpclient:-DEBUG}" /> ``` Tail the log inside `oxshibboleth`container for some time to make sure changes are applied (some DEBUG entries are appearing): `# tail -F /opt/shibboleth-idp/logs/idp-process.log` When it's applied, collect the traces (HAR file) and the `idp-process.log` related to the same time period, and share with us.

By Aliaksandr Samuseu staff 21 Aug 2021 at 11:44 a.m. CDT

Aliaksandr Samuseu gravatar
By the way, you seem to stress out it's somehow O365-related only. Do you observe the same behavior for other SPs as well? If you haven't tested yet, could you try to create a TR for `https://samltest.id/` and give it a try?

By Vreixo Luis Gonzalez Caneda user 24 Aug 2021 at 4:45 a.m. CDT

Vreixo Luis Gonzalez Caneda gravatar
Hi, I didn't meant to stress it out it was just the only configuration that I had tested. I have done the same with samltest.id as suggested and the wait is even longer. You can find bellow the links for both HARs taken from firefox. I would also like to have a response for ticket https://support.gluu.org/single-sign-on/9724/passport-integration-issues-with-azure-ad/ which is closed. Is it possible to reopen it again from your side? https://www.dropbox.com/s/i9seyzsbmw586tw/samltest.har?dl=0 https://www.dropbox.com/s/1hncbnsir6k57xy/office365.har?dl=0 Thank you very much,