Introduction
We would like to share more details about the events that occurred with Phrase between Friday February 2nd 2024 11:25 AM CEST and Monday February 5th 2024 11:40 AM CEST on which led to customers being unable to log in via Strings SAML and what Phrase engineers are doing to prevent these issues from happening again.
Timeline
- February 2nd 2024 11:25 AM CEST: The issue was introduced to a change to the SSO feature
- February 5th 10:50 AM CEST: Due to several customer reports the issue was escalated and an incident was logged
- February 5th 11:48 AM CEST: A fix was implemented
- February 5th 2:02 PM CEST: The incident was considered resolved
Root Cause
It was a mixture of 2 changes:
- The init process switched the GET params (including ?id=customer) to POST params. This parameter was no longer set as a GET parameter for the redirect_uri (auth/callback/saml?id=customer) but instead was reduced to auth/callback/saml. This led to a redirect_uri mismatch.
- The init process switched from legacy sso.phrase.com host to app.phrase.com. This host change also led to a redirect_uri mismatch.
While testing this with our own Okta setup and a new test Okta setup worked fine, multiple customers reached out to us that it did not work.
Actions to Prevent Recurrence
- We implemented a SSO host handling for SAML init.
- Migrate customers to new IDM SAML solution