Environment
Situation
Resolution
Avoid using the HTTP-Redirect method and instead use the HTTP-POST for the SAML2 Binding. This can be achieved one of two ways:
1. Configure the third-party Service Provider to use the HTTP-POST Binding on that end.
2. Alter the AAF/ OSP's metadata by removing the <SingleSignOnService> and <SingleLogoutService> entries for HTTP-Redirect before it is supplied to the Service Provider. This tells the Service Provider that consumes the metadata that Redirect isn't supported and it will be forced to use HTTP-POST.
Cause
Use of the SAML 2.0 events may cause this condition.
The third-party Service Provider sends a SAML request via the HTTP-Redirect method. AAF/ OSP needs to "Inflate" the message before it can be processed.
For some reason the threads running to Inflate the process are never released causing the heavy CPU usage over time. The issue seems to be in the underlying Java library.