Why is our SSO login slow or timing out in AWS ECS?

❓ Question

SSO login to our application is extremely slow — often taking 30–40 seconds or more to complete. The app is running in AWS ECS. There’s no obvious error, but login performance is inconsistent and sometimes hangs entirely. What could be causing this?

✅ Answer

This behavior is commonly caused by the application layer (e.g., a Flask app using Python’s requests library) trying to connect to the identity provider (e.g., Microsoft login) via IPv6, even when the ECS task doesn't support outbound IPv6 traffic.

Here’s what happens:

• The app tries to reach https://login.microsoftonline.com over IPv6.
• The connection silently fails or stalls due to lack of IPv6 egress.
• The request eventually times out or falls back to IPv4 — adding a 20–40 second delay.
• curl may appear to work instantly because it defaults to IPv4.

🛠️ How to Fix It

🔪 Step 1: Confirm the issue

curl -v https://login.microsoftonline.com/.well-known/openid-configuration

If that works instantly inside the container but your app hangs, it's a code-level issue.

💡 Step 2: Force IPv4 in your Flask/Python app

import socket
import requests

# Force IPv4 resolution
orig_getaddrinfo = socket.getaddrinfo

def getaddrinfo_ipv4(host, port, family=0, type=0, proto=0, flags=0):
    return orig_getaddrinfo(host, port, socket.AF_INET, type, proto, flags)

socket.getaddrinfo = getaddrinfo_ipv4

response = requests.get('https://login.microsoftonline.com/.well-known/openid-configuration', timeout=5)
print(response.status_code)

⚙️ Optional: Disable IPv6 system-wide in the container

sysctl -w net.ipv6.conf.all.disable_ipv6=1

📌 Summary

If your ECS container environment lacks full IPv6 support — which is common — apps that default to IPv6 may encounter silent, slow timeouts during login. Forcing IPv4 resolution in application code is a reliable fix that significantly improves SSO performance.