Diagnosing Single Sign-on Issues

From the user’s point of view, it’s simple.  Click on a link, and then see a page.  Under the hood, single sign-on is a complicated operation. The example below shows that this single click can involve up to four web sites and six browser redirects.  Normally, this all happens in milliseconds, but when something goes wrong, the problem can be in one of many places. How do you diagnose the issue? 

SSO-Complexity-Flow

SSO Flow Complexity

The problem could be with:

  • The Identity Provider’s (IDP) Single sign-on software.
  • The Identity Provider’s application web site (e.g. portal)
  • The Service Provider’s (SP) single sign-on software.
  • The Service Provider’s (SP) application web site (e.g. the application home page).
  • The user’s browser
  • Network connectivity between any of the above

In a typical scenario, a user clicks on a link to go to a partner site, and they land on the partner site’s home page.  These home pages are usually full of great information but are also the most complex pages on the web site and therefore, the most likely to have a problem.  You might say that this is a web-site problem and not an SSO problem, but your partners and customers won’t see it that way; all they know is they clicked the link and saw an error page.

At AssureBridge, we handle this type of problem resolution for our clients all the time.  Some of the strategies we employ include:

  1. Make sure the web sites are working.  Before checking the complexity of SSO, test the partner web sites (and your own web sites) to make sure they are up and functioning.  Make sure you have a working test ID that has a working password.
  2. Keep detailed logs.  Since SSO involves many redirects, it is hard to tell from the browser, where the problem is.  Internet Explorer is notorious for indicating that it is “waiting for site X” to respond when it is really waiting for site Y.  Keep good logs that allow you to understand the various hand-offs, if they occurred and if they succeeded.
  3. Perform end-to-end testing.  We offer continuous end-to-end monitoring to customers with critical SSO needs.  This allows us to continuously test connectivity and see problems before the users do.  Make sure your end-to-end testing software is capable of identifying problems in https redirection since they are a frequent issue.
  4. Tracing.  We’ve built detailed tracing into our offering to allow each step of the single sign-on to be monitored.  If you’re solution doesn’t offer this, get familiar with browser trace tools like Fiddler so you can see what is going on.

Above all, have a plan.  Without a pre-set triage plan, SSO problems can quickly turn into a free-for-all and a blame game, particularly when different organizations are involved.  Isolating the problem to a particular system is 90% of the battle when it comes to single sign-on.