We have SSO integration with Azure App Proxy, where we are facing an intermittent issue of user getting redirected to Error URL configured in properties.xml  i.e. "401 Unauthorized". Can you help to understand what is causing the issue?

In case if the session is expired we anticipate it to redirect to timeout URL configured.

Validation Steps

Some of the identified ways, to recreate this intermittent issue are listed below

Method 1

• 1. Login to Clarity Application and open developer tools
  2. In Developer Tools > Application > Cookies and check the values of sessionid and AUTH_TOKEN
  3. Let the session expires at Clarity end and post that forcefully empty the sessionid value and do some operation on Clarity Page.

Method 2

1: Login to Clarity Application and open developer tools

2: In Developer Tools > Application > Cookies and check the values of sessionid and AUTH_TOKEN

3: Let the Clarity session expired and you can validate the session via below queries

select u.user_name,s.user_id, s.session_id, u.last_logged_in_date,s.session_start_date, s.session_end_date from cmn_sec_users u join cmn_session_audits s

on u.id=s.user_id

where id in (<user_ID>)

order by s.session_start_date desc;

select * from cmn_sessions where user_id=<user_Id>

4: Once the Clarity session expired after configured minutes, duplicate the existing Clarity tab

5: The Azure will kick in and it will generate a new session and Clarity application will load fine. Validate the sessionid value it will be different from the step 2

6: Logs out of the newly duplicated Tab

7: Go to old tab which is having the invalid session and if you try to perform any action on the page, it resulted in sessionid getting blank and no Re Login page is prompted to the user rather a blank sessionid is passed.

Component: Clarity PPM On Premise

Release: 16.1.3 or higher

The issue seems to be related to Azure App Proxy integration where in some of the scenarios it fails to trigger a login process, once session is invalidated/expired by Clarity. Make sure there are check at SSO in case of session-id is empty/null to force login process.

Note: Once the session is expired and user duplicates the tab, Azure will trigger a proper login-flow either by prompting user for a new login or reauthenticating by generating afresh session id.

Check with your SSO integration to have a check to force re-login in case session id is empty/null.

Additional configuration to check

• Check the SAML Trace and see if there is default session timeout value of SSO i.e. "startedDateTime":"2024-05-30T06:25:24.120Z" and "expires":"2024-05-30T06:36:46.000Z". Try to set Minutes Of Inactivity Until Logout, less than one minute what you see in SAML trace to see if it helps (refer Tech Doc for more details)