SA-26756

Summary

During load testing of the application using SAML authentication is was observed that there were thousands of files on the Pega app servers named as follows:

wss4j%002esaml%002eone%002etime%002euse%002ecache-%0041%00433%0044%004f%0041t3a%004b%0056%0048%0044%0041==.data

Error Messages

Not applicable

Steps to Reproduce

1) Use SAML Authentication.
2) At IDP level set SAML condition for "OneTimeUse".

Example:    <OneTimeUse/>

<ns2:Conditions NotOnOrAfter="2016-07-29T20:23:09Z" NotBefore="2016-07-29T20:21:09Z">
   <ns2:OneTimeUse/>
   <ns2:AudienceRestriction>
         <ns2:Audience>https://prpc_host/prweb/sp/1469308210</ns2:Audience>
  </ns2:AudienceRestriction>
</ns2:Conditions>

Root Cause

PRPC uses WSS4J 2.0 for the SAML authentication implementation and by default WSS4J has ReplayCache settings enabled by default. 

When the "OneTimeUse" condition is set within the assertion then WSS4J will create a cache file in java.io.tmpdir directory. So, each time a user authenticates with PRPC the a file will be written.

Resolution

Apply HFix-28921.

This patch turns off the WSS4J 2.0 OneTimeOnly Replay Cache.

PRPC uses its own ReplayCache that does not use system files.