Investigating Root Causes of Authentication Failures Using a SAML and OIDC Observatory

摘要

Authentication is the most critical gatekeeper to the web applications that scientists use to carry out collaborative research. While authentication rarely fails, the impact of failures is huge, and root causes are not well understood. This paper analyzes the root causes of authentication failures from a production authentication system called CIL-ogon, an ideal observatory to monitor authentication issues in a distributed identity federation. CILogon is used by 250+ identity providers and 150+ web applications while acting as a proxy to bridge different single sign-on protocols (OIDC and SAML). Our data on authentication is unique because it is: i) longitudinal (over thirty months), ii) realistic (8,000+ active users), and iii) large-scale (nearly three thousand failures out of 447,428 successful authentications). Our finding is surprising: OIDC has about double the failure rate compared to SAML, which contrasts with our prior belief that SAML is much more complex than OIDC. Our most impactful contribution is a fault tree of error types that quickly finds and mitigates the root cause of authentication errors.