An upgrade on the third party authentication platform used by Split, FusionAuth, caused initial issues related with older SAML cert algorithms that prevented a number of customer’s users from logging in with SSO to the Split web console.
A second issue was caused by a Harness/Split deployment that included code changes impacting the authN flow. These changes were masked by the first issue. This second issue was affecting a number of customers who have SCIM enabled, whose users were unable to login via SSO to the Split web console.
Many Split customers are using SSO configurations that have signing certificates based on older less secure algorithms, in this case #rsa-sha1.
The FusionAuth upgrade also upgraded the version of Java used within the FusionAuth cloud service from v17 to v21. Java 21 raised the security baseline by disabling several legacy and weak cryptographic algorithms by default, including #rsa-sha1
.
After the upgrade, some customer’s users were unable to login to the Split web console when using SSO.
There was a further complication caused by a Harness/Split deployment with changes that were incorrectly handling the authentication token sent from resulting in 404
responses.
When a SCIM org user logs into Split via FusionAuth and using SSO, a user-update
event is triggered because of minor changes to the user record (such as last login timestamp) and this user-event
is sent as a request to a web-hook handled by a Split service. As part of validating this request, a request is made to fetch the organization memberships of the user included in the event, and it was this request that was not being handled correctly and sending back a 404
response which triggered a 500
response back to FusionAuth, failing the web-hook request and subsequently the SSO login flow.
Time (IST) | Event |
---|---|
7/22/2025 00:00 UTC | FusionAuth production cloud instance upgraded |
7/22/2025 15:00 UTC | First customer reported issue with SSO logins |
7/22/2025 15:20 UTC | Slack thread opened with FusionAuth support |
7/22/2025 16:00 UTC | Deployment to production |
7/22/2025 18:05 UTC | FusionAuth applied a fix to address the SAML cert issue |
7/22/2025 18:32 UTC | FME Incident opened |
7/22/2025 19:14 UTC | Previous deployment rolled back |
7/23/2025 15:00 UTC | AuthZ fix deployed |
7/23/2025 16:00 UTC | Incident marked as resolved |
The issue was caused by a FusionAuth upgrade which incorrectly applied stricter SAML certificate enforcement rules. The issue was compounded by a deployment which was incorrectly managing the authentication on some endpoints and affecting SAML login flows.