Multiple Deployments: Duo SSO Authentication Failures for some customers

Incident Report for Duo

Postmortem

Summary

On January 30, 2025, at 10:08am EST Duo's Engineering Team rolled out a planned infrastructure update as part of a capacity planning initiative.

As a result of the changes made in that update one of Duo’s Single Sign-On (SSO) servers failed to properly reconnect to one of the necessary components that serves a key role in our authentication path. This led to authentication failures for some of our customers.

Upon being alerted of the incident by impacted customers the Duo team restarted the impacted server and authentications returned to normal. In total, 50 customers were impacted.

Deployments Impacted

DUO1

DUO2

DUO4

DUO6

DUO10

DUO13

DUO15

DUO16

DUO18

DUO19

DUO23

DUO28

DUO31

DUO33

DUO36

DUO37

DUO41

DUO60

DUO79

DUO80

Timeline of Events EST

2025-01-30 10:08 Duo rolled out a planned infrastructure update.

2023-01-30 12:50 Duo engineering was alerted of multiple customers experiencing SSO authentication failures.

2025-01-30 13:01 Duo engineering ran a restart on the impacted server

2025-01-30 13:11 The service was observed to be fully restored and all SSO authentications were

working again.

Further Details

Customer Impact

50 Duo SSO customers had at least 1 user that was impacted by this outage.

What is Duo doing to prevent this in the future?

Duo Engineering has several planned action items to improve our observability on this specific kind of issue. Our alerting failed to identify us in the timely manner of the issue.

Duo Engineering is also exploring application updates that will prevent reconnection issues like the one experienced during this outage from happening again.

Customer Suggested Steps

If you are a Duo SSO customer, please follow the guidance in our documentation to set up multiple Duo Authentication Proxies for a high availability SSO configuration. We confirmed that customers who used the recommended HA setup were impacted far less than those who did not. While Duo is working to make sure this kind of outage doesn’t happen again, maintaining a high availability setup has proven to help avoid a variety of common failures modes and is therefore still a highly recommended step for all customers using Duo SSO. More information on how to do this can be found in this Knowledge Base article.

Note: You can find your Duo deployment’s ID and sign up for updates via the Status Page by following the instructions in this knowledge base article.

Posted Feb 03, 2025 - 15:44 EST

Resolved

We can now confirm that SSO authentications are now fully operational and the issue is resolved. We will provide an RCA as soon as it is available.

In the meantime, we highly recommend configuring multiple Duo Authentication Proxies, ideally 3, for Duo SSO for redundancy, as only customers who had a single proxy were impacted. More details on this can be found here:
https://duo.com/docs/sso#configure-your-authentication-source
https://help.duo.com/s/article/6321

Posted Jan 30, 2025 - 13:55 EST

Update

We are continuing to monitor for any further issues.

Posted Jan 30, 2025 - 13:37 EST

Monitoring

We have implemented a fix and are seeing successful recovery of Duo SSO authentications for impacted customers. We will continue monitoring to ensure the issue is fully resolved.

Posted Jan 30, 2025 - 13:34 EST

Investigating

We are investigating an issue that is causing a small number of customers to experience authentication failures when logging into applications protected by Duo SSO.

Posted Jan 30, 2025 - 13:27 EST

This incident affected: DUO1 (SSO), DUO2 (SSO), DUO4 (SSO), DUO6 (SSO), DUO10 (SSO), DUO13 (SSO), DUO15 (SSO), DUO16 (SSO), DUO18 (SSO), DUO19 (SSO), DUO23 (SSO), DUO28 (SSO), DUO31 (SSO), DUO33 (SSO), DUO36 (SSO), DUO37 (SSO), DUO41 (SSO), DUO60 (SSO), DUO79 (SSO), and DUO80 (SSO).