← Back to portfolio

SSO Troubleshooting Tracer

Status

Design and Prototype

Maturity

Browser extension concept with documented flow

Evidence

Flow documentation complete · Sanitized trace report added · Repo pending

Next

Build Chrome extension MVP

Architecture

Browser
Service Provider
Identity Provider
Assertion / Token
Diagnostic Report

Problem Statement

SSO failures are opaque by design — assertions are base64-encoded, tokens are JWT-encoded, and error messages from service providers are deliberately vague. Enterprise support teams spend significant time diagnosing federation failures that could be resolved in minutes with the right tooling. MTTR for SSO outages is disproportionately high relative to the underlying complexity of most failures.

What Was Built

A structured SSO troubleshooting workflow with a documented failure pattern library covering SAML 2.0 and OIDC. The design targets a browser extension that captures SSO traffic, decodes payloads, redacts sensitive fields, and maps observed symptoms to known failure patterns with resolution steps.

The current artefact is the documented workflow and failure pattern library. The browser extension implementation is the next milestone.

Supported Protocols

SAML 2.0

  • · POST binding trace and decode
  • · Assertion structure inspection
  • · Signature and certificate validation
  • · Attribute mapping verification
  • · Conditions: NotBefore, NotOnOrAfter, AudienceRestriction

OIDC / OAuth 2.0

  • · Authorization code flow analysis
  • · PKCE: code_challenge and code_verifier verification
  • · Token exchange inspection
  • · Redirect URI validation
  • · Cookie and session state analysis

SSO Failure Pattern Library

Failure PatternProtocolSymptomDetectionResolution
Clock skewSAMLNotBefore/NotOnOrAfter rejectedCompare IdP and SP system timesSync NTP; allow 5-min skew
Wrong ACS URLSAMLSP rejects assertion destinationCompare Destination vs SP ACS URLCorrect SP metadata or IdP config
Expired signing certSAMLSignature validation failureCheck IdP cert expiry vs SP metadataRenew cert, update SP metadata
Missing attributeSAMLSP returns access deniedInspect assertion attributesAdd attribute mapping in IdP
Missing PKCE verifierOIDCToken endpoint returns invalid_grantCheck code_verifier and hashImplement PKCE correctly
SameSite cookie issueOIDCSession cookie not set after redirectInspect Set-Cookie headersSet SameSite=None; Secure
Wrong redirect URIOIDCAuth server returns invalid_requestCompare registered vs actual redirect_uriRegister correct URI in IdP

SSO Trace Report — Sanitized Demo View

Sanitized demo view — production data redacted. Illustrative trace based on the documented failure patterns above.

SAML 2.0 Trace — Clock Skew FailureSANITIZED DEMO VIEW

Session ID

sess-[redacted]

Protocol

SAML 2.0

IdP

idp.[redacted].com

SP

sp.[redacted].com

Trace steps

  1. 09:14:22Z AuthnRequest sent to idp.[redacted].com
  2. 09:14:23Z IdP authentication successful
  3. 09:14:24Z SAMLResponse POST to sp.[redacted].com/acs
  4. 09:14:24Z Assertion rejected — NotBefore condition failed
<saml:Conditions NotBefore="2026-05-17T09:16:00Z"
NotOnOrAfter="2026-05-17T09:21:00Z">
<!-- SP clock: 2026-05-17T09:13:45Z — 136s behind IdP -->

Detected failure: Clock Skew

SP system clock is 136 seconds behind IdP. NotBefore condition fails SP-side validation.

Resolution

Sync SP NTP. Allow 5-minute clock skew tolerance in SP SAML configuration (standard: 300 s).

Employer Value

Risk reduced

Prolonged SSO outages due to opaque failure diagnosis

Operational value

Structured diagnostics reduce MTTR for federation issues

IAM domain

SAML 2.0, OIDC, federation troubleshooting

Seniority signal

Tooling design for enterprise support — not just protocol knowledge

Evidence Roadmap

The following evidence items are planned or in progress. Documentation and architecture content is complete; screenshots, repos, and demos will be added as the project matures.

Failure pattern library

[ Documented above ]

SSO Trace Report

[ Sanitized trace report added ]

Browser extension prototype

[ Repo pending ]

Demo video

[ Demo video pending ]

SAML decode walkthrough

[ Screenshot pending ]