Single Sign On (SAML) Incident Report
Date of Incident: 07/06/2020
Time/Date Incident Started: 07/04/2020, 2:09 pm EDT
Time/Date Stability Restored: 07/06/2020, 6:47 pm EDT
Time/Date Incident Resolved: 07/06/2020, 7:23 pm EDT
Users Impacted: Some users
Frequency: Intermittent
Impact: Minor
Incident description:
The Support team received multiple reports from clients who could not log in to ServiceChannel via SSO.
The issue was identified as related to the expiration of a wildcard SSL certificate used by some ServiceChannel SSO integrations. As a result, SSO logins from the impacted clients were denied by the ServiceChannel ACS.
Logs traces reflected following exceptions:
"Module":"SAML","Message":"Decryption failed for issuer
"Module":"SAML","Message":"Failed to decrypt assertion:
"Exception":"System.Exception: Failed to decrypt XML. ---> System.Security.Cryptography.CryptographicException: Error occurred while decoding OAEP padding.
Some clients' IdPs demonstrated this behavior when recognizing the outdated certificate on ServiceChannel side, denying initiation of user logins to ServiceChannel from the IdP end. In these cases, end users experienced the error on the IdP side, so assertions were not sent to the ServiceChannel ACS.
Root Cause Analysis:
This issue was caused by an expired wildcard SSL certificate update used by a small number of SAML SSO client integrations.
Actions Taken:
Mitigation Measures: