Azure AD SAML SSO using social auth causes frequent 503 errors

[ghost]

I have a 3.7.2 Netbox deployment running in K8s using the netbox-chart. I am trying to configure SSO with SAML using Azure AD. I'm using SAML as it seems like the documents OAuth method doesn't support group mappings. Sometimes authentication works correctly. An unknown user is created in Netbox with the correct attributes and is signed in. However logging out and logging in again results in a 503. In the netbox logs I see the following:

netbox 10.42.1.129 - - [20/Feb/2024:21:02:12 +0000] "GET /login/?next=/ HTTP/1.1" 200 5155 "https://netbox.example.net/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"                                                                                                                                                                                                                  
netbox 10.42.1.129 - - [20/Feb/2024:21:02:13 +0000] "GET /oauth/login/saml/?next=%2F&idp=saml HTTP/1.1" 302 0 "https://netbox.example.net/login/?next=/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"                                                                                                                                                                                      
netbox 2024/02/20 21:02:14 [alert] 19#19 app process 89 exited on signal 11                                                                                                  
netbox 10.42.1.129 - - [20/Feb/2024:21:02:14 +0000] "POST /oauth/complete/saml/ HTTP/1.1" 503 54 "https://login.microsoftonline.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"                                                                                                                                                                                                             
netbox 2024/02/20 21:02:16 [info] 93#93 "netbox" application started                                                                                                                                                                                                                                                                                                                                                                                                      
netbox 10.27.4.22 - - [20/Feb/2024:21:02:16 +0000] "GET /login/ HTTP/1.1" 200 5079 "-" "kube-probe/1.27"                                                                                                                                                                                                                                                                                                                                                                  
netbox 🧬 loaded config '/etc/netbox/config/configuration.py'                                                                                                                                                                                                                                                                                                                                                                                                             
netbox 🧬 loaded config '/etc/netbox/config/extra.py'                                                                                                                                                                                                                                                                                                                                                                                                                     
netbox 🧬 loaded config '/etc/netbox/config/logging.py'                                                                                                                                                                                                                                                                                                                                                                                                                   
netbox 🧬 loaded config '/etc/netbox/config/plugins.py'                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   
netbox 10.27.4.22 - - [20/Feb/2024:21:02:26 +0000] "GET /login/ HTTP/1.1" 200 5079 "-" "kube-probe/1.27"

Here's the relevant part of my Netbox config in the helm chart values:

        DEBUG: true
        SOCIAL_AUTH_REDIRECT_IS_HTTPS: True
        SOCIAL_AUTH_SAML_SP_ENTITY_ID: <sp-entity-id>
        SOCIAL_AUTH_SAML_SP_PUBLIC_CERT: "<cert>"
        SOCIAL_AUTH_SAML_SP_PRIVATE_KEY: "<cert>"
        SOCIAL_AUTH_SAML_ORG_INFO:
          en-US:
            name: Netbox
            displayname: Netbox
            url: https://netbox.example.net

        SOCIAL_AUTH_SAML_TECHNICAL_CONTACT:
          emailAddress: <email>
          givenName: Support

        SOCIAL_AUTH_SAML_SUPPORT_CONTACT:
          emailAddress: <email>
          givenName: Support

        SOCIAL_AUTH_SAML_ENABLED_IDPS:
          saml:
            entity_id: <entity_id>
            url: <saml login url>
            attr_user_permanent_id: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            attr_username: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            attr_first_name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
            attr_last_name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
            attr_email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
            attr_full_name: http://schemas.microsoft.com/identity/claims/displayname
            x509cert: <cert>

        SOCIAL_AUTH_SAML_EXTRA_DATA:
          - ("http://schemas.microsoft.com/ws/2008/06/identity/claims/groups", "groups")

        SOCIAL_AUTH_PIPELINE:
          [
            "social_core.pipeline.social_auth.social_details",
            "social_core.pipeline.social_auth.social_uid",
            "social_core.pipeline.social_auth.social_user",
            "social_core.pipeline.user.get_username",
            "social_core.pipeline.social_auth.associate_by_email",
            "social_core.pipeline.user.create_user",
            "social_core.pipeline.social_auth.associate_user",
            "netbox.authentication.user_default_groups_handler",
            "social_core.pipeline.social_auth.load_extra_data",
            "social_core.pipeline.user.user_details",
          ]

While debugging this I have removed my custom group mapping step from the pipeline. Issue seems to happen with or without that, so it doesn't seem related.

Are there any more logs I could find related to this? There's nothing on the NGINX logs for the cluster ingress controller. I also find it weird the netbox process is exiting and restarting without any sort of error message while netbox is in debug mode.

Any pointers would be appreciated.