SAML/SSO: Logins are failed/inconsistent as sessions are switching between Confluence Data Center nodes, installed in Kubernetes with Nginx Ingress Controller as load balancer

Summary

• When login to confluence site which is hosted in Kubernetes and integrated with SAML/SSO, the client (browser) is switching sessions from one node to the other node and hence login failed.

• This can confirmed by verifying the "NodeID" that is printed at the bottom of Confluence page - if that NodeID is changing during login then the load balancer is not persisting sessions and the client is "bouncing" between nodes. 

Environment

• Kubernetes

• Atlassian DC Helm Charts

• Confluence Multi node instance

• nginx ingress controller/load balancer

• SAML/SSO

Diagnosis

All versions of confluence (multi node) installed in Kubernetes with NGINX Ingress/Ingress Controller as load balancer and integrated with SAML/SSO

Cause

• Session Affinity, or "Sticky Sessions" cookie is not persistent on the load balancer.

• Sometimes browser let the cookie through and sometimes not.

Solution

• The steps for implementing this feature differs from load balancer vendor to vendor, look for "Session Affinity" or "Sticky Sessions" and ensure this is enabled.

• Kubernetes Nginx Ingress Controller Annotations

For this particular issue which is related to Kubernetes Nginx Ingress Controller, adding below Annotation would help to fix this specific problem.

• SameSite=None cookies means that the browser sends the cookie with both cross-site and same-site requests.

• The Secure attribute must also be set when setting this value.Nonecookies arealwayssent, regardless of whether you're in a same-site or cross-site scenario.