Open janjongboom opened 8 months ago
I believe this should already work as you expect.
If it is not, we should investigate.
Internal:
We should review how RelayState is used in the path, I believe it should be working already.
Perhaps we just have a documentation issue, or perhaps a bug in the code.
@robotdan I'm having very similar issues with Okta trying to get both IdP and SP initiated logins to work.
Perhaps we just have a documentation issue, or perhaps a bug in the code.
Someone doing a writeup of both IdP and SP initiated logins using a single identity provider would be tremendously helpful. The docs always split this up. There's an IdP-initiated login tutorial for Okta, and an SP-initiated login tutorial for Okta; both using different URLs. There is not one that does both. I've been banging my head against this wall for the past two weeks, and I assume this should be a pretty common usecase.
https://github.com/FusionAuth/fusionauth-issues/issues/2399 seems to be the same issue.
edit I can get Okta to work by configuring the "IdP initiated callback URL" as the default SSO URL and configuring the "Callback URL (ACS)" under 'Other Requestable SSO URLs'. That would be good to be in the FusionAuth docs.
@janjongboom I tested out using a single FusionAuth identity provider for both SP and IdP-initiated auth. I've got it written up, but not published in any of our docs yet. It feels a little wordy to paste a bunch of markdown into this issue, so I'm going to attach it as a PDF. Could you let me know if this is what you are trying to achieve?
Support RelayState as redirect URL for IdP initiated SAMLv2 login
Problem
This is the same feature request as https://github.com/FusionAuth/fusionauth-issues/issues/1785 - but that was closed complete, and wanted to give some more context on why the workaround in that issue does not work.
The workaround in #1785 (adding ?redirect_uri) does work for IdP initiated logins, but creates invalid requests for SP initiated logins because the ACS URL no longer matches whatever is in the system. Example error message:
This creates a problem where (as far as I can see) it's not possible to have one SAML identity provider that supports both IdP initiated and SP initiated logins if the provider requires ?redirect_uri passed in. I've done a complete write-up on trying to get this configured for Google Workspace here: https://fusionauth.io/community/forum/topic/2551/google-workspace-saml-v2-both-idp-initiated-sp-initiated-logins
Solution
Either:
?redirect_uri
in ACS URLs, even for SP-initiated logins.Related issues
Alternatives/workarounds
I've put my complete thought process (with screenshots and various configs) in https://fusionauth.io/community/forum/topic/2551/google-workspace-saml-v2-both-idp-initiated-sp-initiated-logins
Additional context
FusionAuth version: 1.47.1 (hosted version, Starter license).