Platform Identity: All Regions - IDP-initiated authentication issue

Impact 

A subset of users could not access their Delinea Platform tenants due to an authentication issue. 

• Start of Impact: March 6, 2025, at 02:52 UTC 

• End of Impact: March 6, 2025, at 04:40 UTC 

Incident Overview 

The issue affected users attempting authentication under a very specific set of conditions: 

• IDP-initiated authentication (not direct login) 

• 'Federation Satisfies All Mechs' enabled in the authentication policy 

• Authentication rules where the second challenge could not be answered by the user attempting to log in 

Under these circumstances, authentication would fail. This was an edge case, and the impact was limited in scope. 

Root cause 

After the scheduled infrastructure upgrades for the Identity Service on the Delinea platform, we began receiving reports around 02:52 UTC on March 6, 2025, about an issue affecting IDP-initiated authentication. After rolling back the recent deployment, we’ve confirmed that the issue has been resolved. The rollback restored system stability, and everything is functioning as expected. Any necessary fixes or improvements will be included in the next scheduled deployment.  

Preventative Actions 

To prevent similar issues in the future, we are implementing the following measures: 

1. Expanded Test Coverage: Introducing test cases specifically covering this edge case to identify such issues before deployment. 

2. Logging and Monitoring Enhancements: Strengthening logging mechanisms to detect and flag unusual authentication failures earlier.