TY - GEN
T1 - Investigating Root Causes of Authentication Failures Using a SAML and OIDC Observatory
AU - Basney, Jim
AU - Cao, Phuong
AU - Fleury, Terry
N1 - Funding Information:
This material is based upon work supported by the National Science Foundation under grant numbers 1535070, 1547249, and 1548562. The authors thank the anonymous reviewers for their input which helped us improve this article.
Publisher Copyright:
© 2020 IEEE.
PY - 2020/12
Y1 - 2020/12
N2 - Authentication is the most critical gatekeeper to the web applications that scientists use to carry out collaborative research. While authentication rarely fails, the impact of failures is huge, and root causes are not well understood. This paper analyzes the root causes of authentication failures from a production authentication system called CIL-ogon, an ideal observatory to monitor authentication issues in a distributed identity federation. CILogon is used by 250+ identity providers and 150+ web applications while acting as a proxy to bridge different single sign-on protocols (OIDC and SAML). Our data on authentication is unique because it is: i) longitudinal (over thirty months), ii) realistic (8,000+ active users), and iii) large-scale (nearly three thousand failures out of 447,428 successful authentications). Our finding is surprising: OIDC has about double the failure rate compared to SAML, which contrasts with our prior belief that SAML is much more complex than OIDC. Our most impactful contribution is a fault tree of error types that quickly finds and mitigates the root cause of authentication errors.
AB - Authentication is the most critical gatekeeper to the web applications that scientists use to carry out collaborative research. While authentication rarely fails, the impact of failures is huge, and root causes are not well understood. This paper analyzes the root causes of authentication failures from a production authentication system called CIL-ogon, an ideal observatory to monitor authentication issues in a distributed identity federation. CILogon is used by 250+ identity providers and 150+ web applications while acting as a proxy to bridge different single sign-on protocols (OIDC and SAML). Our data on authentication is unique because it is: i) longitudinal (over thirty months), ii) realistic (8,000+ active users), and iii) large-scale (nearly three thousand failures out of 447,428 successful authentications). Our finding is surprising: OIDC has about double the failure rate compared to SAML, which contrasts with our prior belief that SAML is much more complex than OIDC. Our most impactful contribution is a fault tree of error types that quickly finds and mitigates the root cause of authentication errors.
KW - Authentication
KW - distributed systems
KW - error analysis
KW - error handling and recovery
UR - http://www.scopus.com/inward/record.url?scp=85102240681&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85102240681&partnerID=8YFLogxK
U2 - 10.1109/DependSys51298.2020.00026
DO - 10.1109/DependSys51298.2020.00026
M3 - Conference contribution
AN - SCOPUS:85102240681
T3 - Proceedings - 2020 IEEE 6th International Conference on Dependability in Sensor, Cloud and Big Data Systems and Application, DependSys 2020
SP - 119
EP - 126
BT - Proceedings - 2020 IEEE 6th International Conference on Dependability in Sensor, Cloud and Big Data Systems and Application, DependSys 2020
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 6th IEEE International Conference on Dependability in Sensor, Cloud and Big Data Systems and Application, DependSys 2020
Y2 - 14 December 2020 through 16 December 2020
ER -