SSO authenticate failure


Description

Attention of : CS – Sweagle

Since this morning, we have an authentication problem to access at delfinge.sweagle.com.

The SSO reaches for "ERROR - 404" on the page https://delfingen.sweagle.com/api/saml/SSO

Cause

In our continuous improvement of stability and resilience we had rolled out an inter-region high availability of the SaaS service using a new loadbalancing technology from our cloud provider.
Although this was tested in detail upfront, issues appeared for those customers using an external IDP for authentication.

Resolution

Actions Taken:
• As an immediate action we rolled back the changes in an attempt to restore the normal service operations, however to no good result.
• We were pointed to a DNS and caching issue (based upon the network and connectivity logs). However that turned out to not be the root cause.
• We ultimately discovered the root cause of the issue which turned out to be related to the new healthcheck services which we introduced in support for the new loadbalancing technology. To filter out the volume of health checks from the logs, we implemented a conditional in the nginx configurations that would filter out the specific user agent from the health check service. Depending on where this conditional is added to the webserver configuration, it has a side effect of causing the catch-all portion of the configuration to malfunction, including the /login SSO endpoints. As this was added at a different place for the test environments we did not discover this issue.

Solution: We moved the conditional in the nginx configurations to a different location and redirected the health check service to that endpoint where both are working successfully. This allowed the configuration to function as expected and restorted healthy function.