Open JohnCarrollSplit opened 1 year ago
Internal:
RelayState
is provided, we will use this as the redirect. If not provided, the first configured value in the Authorized Redirect URLs will be used. Or you can specifically append redirect_uri=
to the configured ACS. @JohnCarrollSplit
When you perform an IdP initiated login with a SAML v2 IdP- we are still going to perform our own OAuth workflow. This is the reason for the error you've observed.
This means that we still need to know how to send the auth code back to your app to complete the login. When performing an SP initiated SAML v2 Login, you'd start by creating the URL to FusionAuth that begins with /oauth2/authorize
and this would include a value for redirect_uri
. In this IdP initiated flow, we still need this value, and we try to figure it out by either selecting the first configured value, or resolving the value query parameters on the ACS URL named RelayState
or redirect_uri
.
So if you are seeing this error, I think this means you don't have any configured Authorized Redirect URLs in your oauth config. Can you confirm?
And ..
RelayState
to your configuration with a value of the redirect_uri
that you would otherwise use when building the /oauth2/authorize
URL to FusionAuth?
SAML joint config does not work for some IdPs
Description
When a SAMLv2 identity provider is configured in FusionAuth and the option
Enable IdP initiated login
is enabled, the provided ACS url will not work for an SP-initiated SAML login flow for some IdPs that do not allow multiple ACS urls to be configured, for example OneLogin and Google Workspace.Affects versions
1.45.1
Steps to reproduce
Steps to reproduce the behavior:
Enable IdP initiated login
Expected behavior
A single FusionAuth IdP configuration should work with IdPs that only allow a single ACS url to be entered for IdP and SP-initiated login flows.
Screenshots
Google app config:
Platform
(Please complete the following information)
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
Additional context
When setting the ACS url to
https://split-dev.fusionauth.io/samlv2/acs
, the SP-initiated flow works fine, but then the IdP-initiated flow will not work and gives an error in the FA UI once redirected back from the IdP after authenticating there:This is not an issue for other IdPs (such as Okta) that allow other ACS url values to be entered.