Supported SP and IDP SAML Login

[leesmith110]

Supported SP and IDP SAML Login as a single configuration

Problem

Auth0 currently supports the ability to configure an enterprise connection which allows you to use both SP and IDP initiated logins with a single configuration.

It seems that in FusionAuth, we have to configure them as 2 separate identity providers (this would break the ability for our enterprise customers to choose either method authentication)

Solution

A Single Saml configuration to do both IDP and SP Saml authentication in Fusion Auth

Alternatives/workarounds

There are none

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[mooreds]

Hiya @leesmith110 ! Thanks for filing an issue. I'm afraid I don't understand what you mean here:

this would break the ability for our enterprise customers to choose either method of authentication

What do you mean by "choose either method of authentication"? Can you provide more details, maybe a list of steps that can be used with Auth0 and not with FusionAuth:

• user navigates to page X
• user chooses between button 1 which is idp initiated and button 2 which is sp initiated
• if user picks button 2, ...

etc, etc.

[leesmith110]

Hi @mooreds,

Thanks for replying.

Currently in Auth0 we have Enterprise connections enabled with SAML, and you get the option to enable/disable IDP initiated Logins from a single configuration in Auth0.

The current setup we have is some of our customers have a single endpoint configured to connect to us, and we allow them to use SP and IDP initiated authentication.

In Fusion auth it seems we have to configure them separately, and this would then require us to ask the customer to configure it twice?

Examples:

A customer hits our login page and we initiate a SSO session with SAML using SP authentication, the user can then login. The same customer logs in via their IDP (Google Apps workspace for example) and again can login using the same connection details.

This doesnt seem possible currently with Fusion Auth?

Regards,

Lee

[jobannon]

@leesmith110 Thanks for the additional detail. Yes, this is correct. To my knowledge, this is not currently possible in FusionAuth, but something that could be considered via this feature request.

@mooreds Might have other workarounds or thoughts, however.

[leesmith110]

@jobannon @mooreds

Thanks, I even thought could we solve it via proxy configuration to rewrite the incoming IDP, but I don't think that would work.

This unfortunately stops us from a migration point, any idea if this may even get implemented?

[mooreds]

My only thought is that you could have the customer configure one of them (probably the SP, since I think that has a superset of the attributes of the IdP SAML connection) and then use the API to copy over the relevant details to the other.

If that workaround doesn't help, we can leave this feature request open. If you have a support plan, please open a ticket there and reference this as well, as we take both measures of input into account.

[leesmith110]

@mooreds

So i am also pretty sure the SP configuration is whats most important.

Can i ask you let me know what you are thinking wiht the API copy over, i will get the team to test and get back to you :)

[mooreds]

Can i ask you let me know what you are thinking wiht the API copy over, i will get the team to test and get back to you :)

I'm sorry, I'm not sure I understand what you mean?

[mooreds]

@leesmith110 Can you share how you resolved the issue, please?

[leesmith110]

@mooreds we haven't been able to, at the minute we can't migrate to using fusion auth, so our development has been paused

Hopefully in the future we will pick this up again 👍

[mooreds]

Thanks for clarifying @leesmith110 . Sorry to hear that FusionAuth didn't work out, but we understand that you have to weigh engineering effort when considering a migration.

I'm going to re-open this issue and see if the community weighs in for implementation by upvoting it. Please feel free to do so, and to update this issue if/when you review again.

[leesmith110]

@mooreds great product you have, just a few snags on implementation for an sass enterprise setup that blocks us.

[mooreds]

Thanks @leesmith110 . Appreciate it.

Not trying to do a hard sell, but if you'd like to engage with our sales team, sometimes they can work around issues and/or get timeline commitments from engineering for certain features that might have already be on the roadmap. https://fusionauth.io/contact

We definitely have folks moving over from Auth0, but we get that everyone uses a different set of features.

[leesmith110]

@mooreds.

I have sent over a contact request, we are pretty much code complete, just a few issues, if we got them solved in the future roadmap or so, we could almost certainly see ourselves moving over.

Regards,

Lee

[robotdan]

Internal:

• https://github.com/FusionAuth/fusionauth-app/pull/189