INC0042891 — Intermittent SSO Authentication Failures

Incident Details ▲ Collapse

Number

INC0042891

State

In Progress

Impact

2 — Medium

Urgency

2 — Medium

Priority

2 — High

Category

Software

Subcategory

Authentication & Access

Caller

Rachel Kim · IT Operations

Opened

Apr 4, 2026 — 09:47 AM (PDT)

Assignment Group

Identity & Access Management

Assigned To

Marcus Lindqvist · IAM L2 Engineer

Affected Users

~340 (Engineering, Finance, Legal)

Location

Global (multi-region)

Description

Since approximately 08:30 AM PDT on April 4, 2026, approximately 340 users across Engineering, Finance, and Legal departments have been experiencing intermittent failures when authenticating through the corporate Single Sign-On (SSO) system. Affected users report receiving "Authentication failed — please try again" errors after entering valid credentials on the corporate identity portal (sso.corp.example.com). The issue appears intermittent: roughly 30–40% of login attempts fail on the first try, with subsequent retries succeeding within 2–3 attempts.

The corporate SSO stack uses Okta as the primary Identity Provider (IdP), backed by Active Directory (AD) federation via ADFS on two on-prem servers (ADFS-PROD-01 and ADFS-PROD-02). Affected applications include Salesforce, Jira, Workday, and the internal HR portal. VPN-authenticated sessions appear unaffected; only browser-based SAML flows are impacted.

Initial triage shows elevated 500-series error rates from ADFS-PROD-01 beginning at 08:28 AM (correlation with a scheduled maintenance window for SSL certificate renewal). ADFS-PROD-02 is healthy. Okta logs show intermittent SAML assertion signing errors from ADFS-PROD-01. No changes were made to the Okta tenant configuration in the past 14 days. The scheduled maintenance completed at 08:15 AM; however the certificate trust store on ADFS-PROD-01 may not have been reloaded correctly.

{fill}

Caller has confirmed that manually forcing Okta to route all SAML requests to ADFS-PROD-02 as a temporary load-balancing override did reduce the error rate significantly, but this is not a sustainable fix and full load distribution must be restored. A permanent resolution is needed before the end-of-day SLA window.

Work Notes (3)

Additional Comments

Activity Stream

Marcus Lindqvist · Apr 4, 2026 — 10:22 AM Work Note

Confirmed ADFS-PROD-01 certificate trust store not reloaded after renewal. Attempting manual IIS reset + service recycle on ADFS-PROD-01. Will monitor Okta error rate after restart. Current error rate: 34% of SAML flows from PROD-01. PROD-02: 0% errors.

Julia Okonkwo (IAM Lead) · Apr 4, 2026 — 10:05 AM Work Note

Escalated to IAM L2. Okta System Log reference: event_id 0oa8xyz1234. Opened bridge call with Okta TAM (case #CS-0029184). Parallel track: checking if ADFS SSL cert renewal script left the new cert bound to incorrect service account.

Rachel Kim (Caller) · Apr 4, 2026 — 09:51 AM Work Note

Ticket submitted. Confirmed ~340 affected users. Workaround applied: Okta load balanced to ADFS-PROD-02 only. Help desk fielding ~20 calls/hour. Request priority escalation due to business impact.

Knowledge Articles

ADFS Certificate Renewal Runbook — Trust Store Reload Procedure 95% match

KB0018341 · IAM · Updated Mar 2026

Okta SAML Signing Error Troubleshooting Guide 88% match

KB0014902 · IAM · Updated Jan 2026

SSO Outage Incident Response Playbook (P1/P2)

KB0011207 · ITSM · Updated Dec 2025