Closed robotdan closed 5 years ago
This feels a bit like it's skating to where the puck has been. I see the sense in #3 so that FusionAuth can act as a SAML IdP but increasingly we'll be pushing our customers towards OpenID Connect, especially as the vast majority of our customers are either Azure AD, AD FS (2016), Google or Okta.
@scopendo Ha, you're correct. We have been resisting adding SAML support for about three years now (Passport before FusionAuth name). We've always there are better options, and didn't not want to "enable" anyone to use SAML but instead push them forward.
OpenID Connect is a much better option for most people, and we would much prefer everyone use that instead.
Unfortunately SAML is still very widely used and we just have so many requests to support FusionAuth as a SAML SP. There are many older instances of AD in the wild that do not yet support OIDC, and ones that do - but the IT group managing it only know SAML.
So in the interest of casting a wider net, we'll be supporting SAML. :-)
Fair enough, plus I just noticed that G Suite admin only lets you add a custom app that uses SAML!
On Sat, 20 Apr 2019, 14:27 Daniel DeGroff, notifications@github.com wrote:
@scopendo https://github.com/scopendo Ha, you're correct. We have been resisting adding SAML support for about three years now (Passport before FusionAuth name). We've always there are better options, and didn't not want to "enable" anyone to use SAML but instead push them forward.
OpenID Connect is a much better option for most people, and we would much prefer everyone use that instead.
Unfortunately SAML is still very widely used and we just have so many requests to support FusionAuth as a SAML SP. There are many older instances of AD in the wild that do not yet support OIDC, and ones that do - but the IT group managing it only know SAML.
So in the interest of casting a wider net, we'll be support SAML. :-)
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/FusionAuth/fusionauth-issues/issues/104#issuecomment-485119208, or mute the thread https://github.com/notifications/unsubscribe-auth/AAE6N6UBLZLBPMJQOTZWNCDPRMK3HANCNFSM4HDK5AEQ .
Yeah. Crazy! Haha
We have been testing against that for a week or so now. It seems like Google and a few others have correct implementations of SAML while a bunch of providers hacked together solutions that likely only work with Active Directory.
Hopefully we will get some assistance in testing with lots of additional providers once the feature is released.
In my opinion, SAML is old and broken, but that won’t change the fact that it is gonna stick around for many more years.
One cool movement forward is that Azure Active Directory appears to be dropping their SAML support in new versions.
Available in 1.6.0, enjoy! https://fusionauth.io/docs/v1/tech/identity-providers/samlv2
SAML2 Federation
Problem
Currently FusionAuth supports OpenID Connect, Facebook, Twitter and Google as third party identity providers.
I want to be able to federate login to a SAML2 IDP using an Identity Provider configuration in FusionAuth.
Solution
Add a new Identity Provider type for SAML2.
Alternatives/workarounds
If the IDP also supports OpenID Connect this is an alternative, otherwise no known alternatives.
Additional context
Related to https://github.com/FusionAuth/fusionauth-issues/issues/3
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.