SAML issues

Incident Report for Split by Harness

Postmortem

Summary

An upgrade on the third party authentication platform used by Split, FusionAuth, caused initial issues related with older SAML cert algorithms that prevented a number of customer’s users from logging in with SSO to the Split web console.

A second issue was caused by a Harness/Split deployment that included code changes impacting the authN flow. These changes were masked by the first issue. This second issue was affecting a number of customers who have SCIM enabled, whose users were unable to login via SSO to the Split web console.

Issue

Many Split customers are using SSO configurations that have signing certificates based on older less secure algorithms, in this case #rsa-sha1.

The FusionAuth upgrade also upgraded the version of Java used within the FusionAuth cloud service from v17 to v21. Java 21 raised the security baseline by disabling several legacy and weak cryptographic algorithms by default, including #rsa-sha1.

After the upgrade, some customer’s users were unable to login to the Split web console when using SSO.

There was a further complication caused by a Harness/Split deployment with changes that were incorrectly handling the authentication token sent from resulting in 404 responses.

When a SCIM org user logs into Split via FusionAuth and using SSO, a user-update event is triggered because of minor changes to the user record (such as last login timestamp) and this user-event is sent as a request to a web-hook handled by a Split service. As part of validating this request, a request is made to fetch the organization memberships of the user included in the event, and it was this request that was not being handled correctly and sending back a 404 response which triggered a 500 response back to FusionAuth, failing the web-hook request and subsequently the SSO login flow.

Timeline

Time (IST) Event
7/22/2025 00:00 UTC FusionAuth production cloud instance upgraded
7/22/2025 15:00 UTC First customer reported issue with SSO logins
7/22/2025 15:20 UTC Slack thread opened with FusionAuth support
7/22/2025 16:00 UTC Deployment to production
7/22/2025 18:05 UTC FusionAuth applied a fix to address the SAML cert issue
7/22/2025 18:32 UTC FME Incident opened
7/22/2025 19:14 UTC Previous deployment rolled back
7/23/2025 15:00 UTC AuthZ fix deployed
7/23/2025 16:00 UTC Incident marked as resolved

RCA

The issue was caused by a FusionAuth upgrade which incorrectly applied stricter SAML certificate enforcement rules. The issue was compounded by a deployment which was incorrectly managing the authentication on some endpoints and affecting SAML login flows.

Action Items

Improvements

  • Improve logging/monitoring on the webhooks used in the authentication and validation service.
  • Update alerts for SAML and FusionAuth client errors to generate more effective notifications.
  • Collaborate with the FusionAuth team on upgrades to better analyze the potential impact before applying any further upgrades.
Posted Aug 27, 2025 - 18:04 PDT

Resolved

This incident has been resolved.
Posted Jul 22, 2025 - 13:46 PDT

Monitoring

A fix has been implemented and we are monitoring the results.
Posted Jul 22, 2025 - 12:46 PDT

Identified

The issue has been identified and a fix is being implemented.
Posted Jul 22, 2025 - 12:37 PDT

Investigating

We are investigating an issue causing intermittent failures during SSO for some of our customers.

This only affects web console SSO. Login using email and password via https://app.split.io/login is available for organizations configured to allow non-SSO logins.

Feature flag evaluations using our SDKs are unaffected, as are all integrations and data processing.
Posted Jul 22, 2025 - 11:50 PDT
This incident affected: Web Console.
Current Status Powered by Atlassian Statuspage