Thanks for your insight! I will look into it. But I think my issue was "org.apereo.cas.services.GroovyRegisteredServiceUsernameProvider". Since I replaced it, CAS authenticated 150k requests and no incidents reported so far.
Digging logs further I found that there is a property in the SAML response named "InResponseTo". At first I thought it should be unique, then I found other responses with the same InResponseTo. Some of them belong to responses to the same user, but a few to other users. The identified incidents have the same "InResponseTo" for different users and happened at the same second. -- Danilo Mendes On Thu, Oct 15, 2020 at 6:42 PM Samuel Lyons <[email protected]> wrote: > err sorry, for 6.1 the attributes are > > cas.authn.attributeRepository.expirationTime=0 > cas.authn.attributeRepository.expirationTimeUnit=MINUTES > > On Thursday, October 15, 2020 at 3:38:41 PM UTC-6 Samuel Lyons wrote: > >> We have solved an issue very similar to this and is probably this issue. >> What happens is that there's a default attribute repository cache that >> basically stores the username's hashCode (the username is in like a list >> with one value or something like that and then it calls the hashCode() >> method on it) as a key >> https://github.com/apereo/person-directory/blob/2e1439bf804a2b93019b8e5846837fe2628abbd7/person-directory-impl/src/main/java/org/apereo/services/persondir/support/AttributeBasedCacheKeyGenerator.java#L326 >> . >> The method .hashCode does NOT guarantee unique values out of it. In fact >> similar string have a higher probability of having the same hashCode but >> this still can effect ones that are fairly different. To know if this is >> your issue, take the username of both inidividuals and run a test java >> program that calls the default .hashCode method on them and see if they >> have the same value. The solution that was found was to turn the cache off >> >> cas.authn.attribute-repository.expiration-time=0 >> cas.authn.attribute-repository.expiration-time-unit=MINUTES >> >> On Tuesday, October 13, 2020 at 11:51:02 AM UTC-6 [email protected] >> wrote: >> >>> That didn't solve it. >>> >>> But I found one customization: one line groovy script for fixing the >>> username for google. >>> >>> I replaced it by another attribute provider. >>> >>> On Friday, October 9, 2020 at 9:53:42 AM UTC-3 Danilo Mendes wrote: >>> >>>> Thank you for your responses. >>>> >>>> It only customized the login form adding some warnings about usage. >>>> >>>> It doesnt have a proxy, or cache... At the beginning we had a load >>>> balancer (haproxy) serving a CAS cluster, but, mitigating this issue, I >>>> removed it for simplifying the installation and because it has an open >>>> issue that I thought it might be related ( >>>> https://github.com/haproxy/haproxy/issues/583). Since then I have only >>>> one CAS working directly and the problem persists. >>>> >>>> After Richard's reply I extended my investigation to the LDAP server >>>> and found that the node I was using was very old and unmaintained 389-ds. >>>> Then I switched the config to a new one. >>>> >>>> Since that I have few hours without incidents. I hope it keeps like >>>> that. >>>> >>>> On Friday, October 9, 2020 at 8:33:35 AM UTC-3 [email protected] >>>> wrote: >>>> >>>>> >>>>> >>>>> There’s not a caching proxy in front of your application is there? If >>>>> so make sure caching is switched off, we’ve seen something similar and the >>>>> cache was the problem. >>>>> >>>>> >>>>> >>>>> Duncan >>>>> >>>>> >>>>> >>>>> *From:* 'Richard Frovarp' via CAS Community <[email protected]> >>>>> *Sent:* 08 October 2020 19:04 >>>>> *To:* [email protected] >>>>> *Subject:* Re: [cas-user] Wrong user authenticated >>>>> >>>>> >>>>> >>>>> Probably not? That sounds like code that is being hit somewhere that >>>>> isn't thread safe. The built in LDAP code to CAS should be just fine with >>>>> that respect. Assuming you're using a well supported LDAP server that >>>>> wouldn't have thread issues? I don't know how a HTTP proxy would impact >>>>> this. I guess the question is, do you have any custom code anywhere in the >>>>> network or login flow? >>>>> >>>>> >>>>> >>>>> On Thu, 2020-10-08 at 14:59 -0300, Danilo Mendes wrote: >>>>> >>>>> My server is hosted on a vmware4 server and I`ve followed a lead about >>>>> entropy and noted that /dev/random dont play well with VMs. >>>>> >>>>> >>>>> >>>>> Do any of you think it could be related? >>>>> >>>>> >>>>> -- >>>>> >>>>> Danilo Mendes >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Tue, Oct 6, 2020 at 11:06 AM Danilo Mendes <[email protected]> >>>>> wrote: >>>>> >>>>> Hello, >>>>> >>>>> >>>>> >>>>> I have a 6.1.7.1 installation authenticating gsuite apps against a >>>>> LDAP directory. It`s configured using standalone profile. >>>>> >>>>> >>>>> >>>>> Most of the time it works OK, but sometimes when two users tries to >>>>> authenticate at the same time it sends wrong responses and User A opens >>>>> User B account. >>>>> >>>>> >>>>> >>>>> Can you o help me debugging? Or to point a direction I can follow? >>>>> >>>>> >>>>> >>>>> Thank you. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> - Website: *MailScanner has detected a possible fraud attempt from >>>>> "eur01.safelinks.protection.outlook.com" claiming to be* >>>>> https://apereo.github.io/cas >>>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapereo.github.io%2Fcas&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395833552&sdata=gv9iY1GuiNK2xD3Kw5MoalQfp7Jn4R2QyGA0Hzu3%2F7s%3D&reserved=0> >>>>> - Gitter Chatroom: *MailScanner has detected a possible fraud attempt >>>>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>>>> https://gitter.im/apereo/cas >>>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitter.im%2Fapereo%2Fcas&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395843509&sdata=IhZb3tCKi2nNjYhq8t7mvm4A1qgVmBEaHsFkiRcks2Q%3D&reserved=0> >>>>> - List Guidelines: *MailScanner has detected a possible fraud attempt >>>>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>>>> https://goo.gl/1VRrw7 >>>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2F1VRrw7&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395843509&sdata=ZYWViAnDEovOpZSNb7HpXoOKSZbE9HTGY9geOosDKks%3D&reserved=0> >>>>> - Contributions: *MailScanner has detected a possible fraud attempt >>>>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>>>> https://goo.gl/mh7qDG >>>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2Fmh7qDG&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395853474&sdata=0Lhx3yQCAPcQX%2FywERDk3Anp%2FmFSo%2BAVNWUYelB7slo%3D&reserved=0> >>>>> >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> >>>>> To view this discussion on the web visit *MailScanner has detected a >>>>> possible fraud attempt from "eur01.safelinks.protection.outlook.com" >>>>> claiming to be* >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c03472f2-56d5-4357-9af6-94f4f045728fn%40apereo.org >>>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fapereo.org%2Fd%2Fmsgid%2Fcas-user%2Fc03472f2-56d5-4357-9af6-94f4f045728fn%2540apereo.org%3Futm_medium%3Demail%26utm_source%3Dfooter&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395853474&sdata=gGL%2FnvjuCI3Yigr5AJ46WUZLq2o%2FqhShe3sBMiMExIk%3D&reserved=0> >>>>> . >>>>> >>>>> -- >>>>> - Website: *MailScanner has detected a possible fraud attempt from >>>>> "eur01.safelinks.protection.outlook.com" claiming to be* >>>>> https://apereo.github.io/cas >>>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapereo.github.io%2Fcas&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395853474&sdata=%2Fxh1VxJSveY43EaRqmYEFY6HeJGRqf3ksKPO3SzVhWQ%3D&reserved=0> >>>>> - Gitter Chatroom: *MailScanner has detected a possible fraud attempt >>>>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>>>> https://gitter.im/apereo/cas >>>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitter.im%2Fapereo%2Fcas&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395863429&sdata=rKPdXvkPIyUeh0MzxjATyVN0aIRbkOSp%2BO0lO4tfh2k%3D&reserved=0> >>>>> - List Guidelines: *MailScanner has detected a possible fraud attempt >>>>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>>>> https://goo.gl/1VRrw7 >>>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2F1VRrw7&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395863429&sdata=VtK3jn%2B9advdjmkfUQCiwZjUQNpgX0hgtLaV7bpVyyk%3D&reserved=0> >>>>> - Contributions: *MailScanner has detected a possible fraud attempt >>>>> from "eur01.safelinks.protection.outlook.com" claiming to be* >>>>> https://goo.gl/mh7qDG >>>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgoo.gl%2Fmh7qDG&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395863429&sdata=xIKZR%2F9fioPv0ubk1t7gsjeyqbSAyw01MPvn80%2B4rt8%3D&reserved=0> >>>>> >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> >>>>> To view this discussion on the web visit *MailScanner has detected a >>>>> possible fraud attempt from "eur01.safelinks.protection.outlook.com" >>>>> claiming to be* >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/92192eff7187568875d6f6e91a2d5072a6de937b.camel%40ndsu.edu >>>>> <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fapereo.org%2Fd%2Fmsgid%2Fcas-user%2F92192eff7187568875d6f6e91a2d5072a6de937b.camel%2540ndsu.edu%3Futm_medium%3Demail%26utm_source%3Dfooter&data=02%7C01%7Cdbb%40st-andrews.ac.uk%7Ccc2aab8a764544c8cdf208d86bb47d16%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637377771395873383&sdata=cOKa224dsbfpCTXMKxCX3M%2FzFofIJzAuq2s%2F3cnzcvA%3D&reserved=0> >>>>> . >>>>> >>>> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAPwzNfpkn2rg%3Dpm6PFqJ9ZFiqkkyLTNnufaAkbDEz%3D8dVtV0MQ%40mail.gmail.com.
