search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
91 stars 12 forks source link

SAML joint config does not work for some IdPs #2399

Open JohnCarrollSplit opened 1 year ago

JohnCarrollSplit commented 1 year ago

SAML joint config does not work for some IdPs

Description

When a SAMLv2 identity provider is configured in FusionAuth and the option Enable IdP initiated login is enabled, the provided ACS url will not work for an SP-initiated SAML login flow for some IdPs that do not allow multiple ACS urls to be configured, for example OneLogin and Google Workspace.

Affects versions

1.45.1

Steps to reproduce

Steps to reproduce the behavior:

  1. Create a new SAML v2 IdP configuration and select the option for Enable IdP initiated login
  2. Configure a Google workspace SAML application using the details provided in the IdP configuration within FusionAuth
  3. Attempt to login to an OAuth enabled application by using FusionAuth to authenticate against Google workspace
  4. See error in the SAML response for the SP-initiated flow: 
    ...
...
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
  <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied"/>
</saml2p:StatusCode>
<saml2p:StatusMessage>Invalid request, ACS Url in request
  https://split-dev.fusionauth.io/samlv2/acs doesn't match configured ACS Url
  https://split-dev.fusionauth.io/samlv2/acs/adb38170-27f4-11ee-9c5d-c64cdfea31ae/550f7f8b-c796-4f7a-9df4-d84343f26615?scope=offline_access+openid.
</saml2p:StatusMessage>
</saml2p:Status>
</saml2p:Response>

Expected behavior

A single FusionAuth IdP configuration should work with IdPs that only allow a single ACS url to be entered for IdP and SP-initiated login flows.

Screenshots

Google app config: image

Platform

(Please complete the following information)

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

When setting the ACS url to https://split-dev.fusionauth.io/samlv2/acs, the SP-initiated flow works fine, but then the IdP-initiated flow will not work and gives an error in the FA UI once redirected back from the IdP after authenticating there:

image

{
  "error" : "invalid_request",
  "error_description" : "The request is missing a required parameter: redirect_uri",
  "error_reason" : "missing_redirect_uri"
}

This is not an issue for other IdPs (such as Okta) that allow other ACS url values to be entered.

robotdan commented 1 year ago

Internal:

robotdan commented 1 year ago

@JohnCarrollSplit

When you perform an IdP initiated login with a SAML v2 IdP- we are still going to perform our own OAuth workflow. This is the reason for the error you've observed.

This means that we still need to know how to send the auth code back to your app to complete the login. When performing an SP initiated SAML v2 Login, you'd start by creating the URL to FusionAuth that begins with /oauth2/authorize and this would include a value for redirect_uri. In this IdP initiated flow, we still need this value, and we try to figure it out by either selecting the first configured value, or resolving the value query parameters on the ACS URL named RelayState or redirect_uri.

So if you are seeing this error, I think this means you don't have any configured Authorized Redirect URLs in your oauth config. Can you confirm?

And ..