Now that our investigation of the incident is complete, we would like to share more detailed information on what happened.
The summary:
At around 9:00 CEST (March, 3) customers reached out to us about failing SSO login attempts of users. After identifying the root cause our developer team created a fix and updated our database to avoid inconsistencies or duplications. The fix was rolled out at ~14:45 CEST (March, 4) which resolved the incident.
What happened:
A release changed users’ externalID field from being case-insensitive to case-sensitive which led to our system not identifying IDs if the casing did not match.
Impact:
This affected SSO setups where the IDP sent the user’s externalID in a different casing than as they were provisioned with in our system and led to users not being able to log in or duplicate users if the setup allows for on-demand user creation. Also user imports could lead to duplicate users and existing accounts being deactivated. We have identified those cases in our logs.
Future Improvements:
We have introduced a change on our end to allow for different casing with the identifier again without impacting end users. We’ve also implemented additional tests to prevent similar issues in the future.
Please contact us at support@staffbase.com if you have any further questions regarding this topic or if any feature is still impacted against our expectations.