Platform: Global - Federation Error 102 Missing SSO Attribute

Incident Report for Delinea

Postmortem

Incident Overview

On March 12, 2026, a subset of customers in Australia (AU) and the United States (US) regions began experiencing Federation configuration error. The issue rooted from a planned software update that prevented some users from logging in to Platform. This was caused by the user session becoming corrupted or inconsistent.

Start Time: March 12, 2026 – 01:33 UTC

End Time: March 12, 2026 – 14:43 UTC

At the time of the incident only AU and US were marked as impacted, but later investigations identified that it impacted subset of clients globally.

Root Cause

The incident was caused by a defect introduced in the Identity API release that corrupted user authentication state for federated users.

This error persisted even after the deployment was rolled back, requiring a targeted fix to repair affected tenants.

Key contributing factors included:

A defect in the new Identity API release caused user accounts to enter a broken state upon authentication.

Automated background session refreshed affected users who were not actively logged in, extending the scope of the impact beyond those actively using the platform.

The sequence of multiple coordinated releases made it more difficult to isolate the faulty component quickly

Preventive Actions

A targeted new build was developed and deployed to handle users who entered the bad state, fully resolving the incident.
We are adding additional pre-release testing for federated authentication flows: All releases that touch authentication, Identity, or federation service will have dedicated test coverage.
Cross-service release dependency review: We are confirming that the combination of releases has been tested together in lower silos, not just each service in isolation.

Posted Mar 26, 2026 - 01:29 EDT

Resolved

This incident has been resolved.

Posted Mar 12, 2026 - 10:38 EDT

Monitoring

A fix has been implemented and we are monitoring the results.

Posted Mar 12, 2026 - 09:47 EDT

Update

We are aware that some customers are unable to apply the previously communicated workaround due to the error: "Entra Tenant Id is already in use."

We are currently working to deploy a permanent fix that will resolve this issue without requiring customers to apply the workaround. We will provide a further update once the fix has been successfully deployed.

We apologize for the inconvenience and thank you for your patience.

Posted Mar 12, 2026 - 07:16 EDT

Update

We have verified a fix for this issue and will be deploying a hotfix at the earliest opportunity.

Once the hotfix is applied, affected customers who applied the workaround will be able to revert their "Map federated user to existing directory user" setting back to Disabled.

We will provide an update once the hotfix has been successfully deployed.

Posted Mar 12, 2026 - 02:15 EDT

Identified

We have identified that affected customers have their "Map federated user to existing directory user" setting configured as Disabled, which is not the default setting. The default value for this setting is Optional.

1. From the left navigation, click Settings, then select Federation Providers.
2. Click the name of your federation provider.
3. On the Settings tab, click Edit.
4. Under User Mappings, locate the "Map federated user to existing directory user" option.
5. Change the value from Disabled to Optional.
6. Click Save.

We are currently working on a remediation and will provide an update once it is complete.

Posted Mar 12, 2026 - 00:59 EDT

Update

We are continuing to investigate this issue.

Posted Mar 11, 2026 - 22:57 EDT

Investigating

We are currently investigating an issue affecting SSO authentication for some customers. Impacted users are encountering Federation Error 102 during login.

Our team is actively investigating.

Posted Mar 11, 2026 - 21:49 EDT

This incident affected: UK (Platform), US (Platform), EU (Platform), SEA (Platform), AU (Platform), and UAE (Platform).