Single Sign On with React app

[janakapdj]

Unable to sign out user and Verify 2nd application

I have two separate applications with two login screens in Application one user login validated with fusionAurth with ( /api/login ) api rquest and it was success but when I am trying to validate same user for second Application (redirect with out log in) with FusionAuth I try with ( api/login/{userId}/{applicationId}?ipAddress={ipAddress} ) but this always return http status 200, even user log out and also user log out function not work as expected ( /api/logout?global={global}&refreshToken={refreshToken} )

help me with this Basically I would like to know Is it possible to control SSO with API and how its expire session on client application and how its authenticate user for second Application

[robotdan]

If you are using the Login API directly you will need to manage your own SSO.

If you want to manage the tokens on your end to achieve SSO w/out using the FusionAuth SSO / OpenId Connect front end, you can do this using these APIs

• Login API https://fusionauth.io/docs/v1/tech/apis/login#authenticate-a-user
• Update Login API https://fusionauth.io/docs/v1/tech/apis/login#update-login-instant
• JWT Issue API https://fusionauth.io/docs/v1/tech/apis/jwt#issue-a-jwt
• Refresh a JWT https://fusionauth.io/docs/v1/tech/apis/jwt#refresh-a-jwt
• Revoke a Refresh Token https://fusionauth.io/docs/v1/tech/apis/jwt#revoke-refresh-tokens

1. You'll use the Login API to log the user in, this returns a JWT and a Refresh Token.
2. You can now use the JWT to perform authenticated actions in your application
3. So sign onto another application you can use the JWT Issue API, this will allow you to obtain a JWT for application 2 with a JWT from application 1.
4. When the JWT is expired you can use the Refresh Token to obtain another JWT so that you do not have to require the User to authenticate again
5. When you want to log the user out, you can revoke their Refresh Token. The user will now be logged out after all JWTs that have already been issued time out. You can also achieve this using the Logout API.

[janakapdj]

Hi robotdan, Thank for your reply , I am Not interest to manage SSO in My end, I am looking a way to manage SSO with Fusion Auth just to clarify, What should be the flow I need to follow , My requirement is users login from my application , not with Fusion Auth login screens

1. user log in from Application 1 login screen with user name and password
2. *** if first time user will redirect to Password change screen on Application 1
3. User log in success
4. Application 2 user should able to login with out authenticating
5. If user Log out from one application user will be logout from other too

can you give me some clear reference to follow SSO with fusion auth , moment i am stuck with integrating Login API and I do not like to manage SSO on my end

[robotdan]

The way FusionAuth manages SSO is with our login screens. So if you want SSO w/out our login screens, that means you are building it yourself.

The APIs I referenced above do provide some of that function, such as exchange tokens between applications, etc.

Why do you want to use the APIs directly s using the login screens, seems like the hard way. :-)

[janakapdj]

Hi robotdan, Thank you again for your reply I have web base applications , I hope to use SAML v2 as a SSO solution is that most better one ? can you suggest best solution for implement

I've done all the steps mentioned in the guide https://fusionauth.io/docs/v1/tech/samlv2/overview https://fusionauth.io/docs/v1/tech/identity-providers/samlv2/overview#create-a-saml-v2-identity-provider after all I tested login url its giving "message" : "The SAML login request is missing the SAMLRequest parameter" I did test with https://samltest.id too its saying "The identity provider supplying your login credentials is not registered for use with SAMLtest. Please make sure you upload your IdP's metadata first." what does it mean ? where should I upload metadata.xml ?

[robotdan]

You can use SAML or OpenID Connect when taking advantage of our SSO, OpenID Connect is preferred if you are able to use it.

To test with https://samltest.id you will need to first upload your metadata. Make sure you are running FusionAuth version 1.7.4 or newer.

1. Go to https://samltest.id/upload.php
2. Enter your Entity Id URL in the first field and click on "Fetch!"

You will find your Entity Id URL in the SAML v2 Integration details section of the Application details. To view these details navigate to Applications from the left nav and click on the green view button. The Entity Id URL (along with the Metadata URL) will return an XML document that can be used by the SP (in this case https://samltest.id) to verify your IdP.

[janakapdj]

Hi robodan,

I have Installed latest version

I was able to create XML file , but now stuck with Idp url ,

again ill clear my requirement

I have one application done with react and other one is third party app that support SAML(but can not do any change with source ) All the users for both applications has imported in to Fusion auth (two fusion auth applications)
users need to allow to access both applications with SSO Is this possible to achieve ? or do I need to setting up Idp server ? sorry for asking questions again and again :)

[robotdan]

Is this possible to achieve ? or do I need to setting up Idp server ?

I believe so, as long as our SAML implementation is compatible with yours.

I was able to create XML file , but now stuck with Idp url ,

I don't know what that means, how can I help you?

[janakapdj]

Hi I push back to SSO with locally runing web app, and i am trying to connect fusion with sisense is there any documentation how to connect with sisense ? in sisense I found documentations for some other 3rd party apps but could not find for fusion :( I try with setting up sisense locally on http://localhost:8081 please check attachment where I couldn't find values mark with red line

***** What should be IDP endpoint ? its able to create with fusion or some other Api ?

[janakapdj]

with above configurations ,I am running on a docker here is a log file

java.lang.IllegalArgumentException: Invalid SAML v2.0 Name ID format [urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress]
        at io.fusionauth.samlv2.domain.NameIDFormat.fromSAMLFormat(NameIDFormat.java:156)
        at io.fusionauth.samlv2.service.DefaultSAMLv2Service.parseRequest(DefaultSAMLv2Service.java:471)
        at io.fusionauth.app.action.samlv2.LoginAction.get(LoginAction.java:92)
        at sun.reflect.GeneratedMethodAccessor122.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:436)
        at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.execute(DefaultActionInvocationWorkflow.java:84)
        at org.primeframework.mvc.action.DefaultActionInvocationWorkflow.perform(DefaultActionInvocationWorkflow.java:64)
        at 

[robotdan]

I don't believe that is a valid Name Id Format. The email address NameID format is urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

What SAML provider are you using that is using that Name ID Format?

What should be IDP endpoint ? its able to create with fusion or some other Api ?

If you click the view button you will see the SAML integration details you will see a Login URL and an EntityID URL.

[janakapdj]

Hi robotdan, Thank you again for your reply I am still getting same error on log file , as I seen NameID format is correct for your reference I have attached some screen captures , I am passing my dead line and need to get done with fusion or alternative :( where and how set Name ID format ? is this Invalid SAML v2.0 Name ID format is a bug ? how i could fix this (i am running on docker and latest version ) Could you please help me with this. Please let me know if you need more information on this

[robotdan]

As far as I know that NameId format is not valid, however I am sure there are IdPs out there using it - case in point.

For this reason, in the latest release of FusionAuth we will try to guess the NameId format even if it doesn't appear to be one that we recognize. In this particular case, the NameId Format of urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress that is being sent to FusionAuth will resolve to the NameId format for email.

Let me know if the latest version of FusionAuth works for you.

[janakapdj]

Hi robotdan, thank for your reply/suggestion I have re installed latest version now its seems NameId format error has fixed

[janakapdj]

Hi robotdan, when I try to login in to Sisense "http://localhost:8081" now its redirect to Fusion auth login screen (login screen attached) After fill credentials and click in login button Fusion auth its redirect to Sisense and its fine but, When click on Login With Sisense button it shows XML content :O

and also I seen this error on developer tool when we enter credentials on Fusion auth login content_script.js:62 LEVEL: ERROR | MODULE: LEAKED_CREDENTIALS | SESSION: ac1cc6e9 | MESSAGE: "CryptoJS.SHA256 is not a function" | PARAMS: {}

[robotdan]

Hi @janakapdj I would need to see your SAML configuration to help much with this. Also, enable debug in your SAML configuration and capture the Debug event log.

[janakapdj]

Hi @robotdan here I have attached screen shots Please let me know if you need more information on this and also I would like to know does fusion auth support to external https request Example code :

$.ajax({ url : 'https://analytics.statge.fundsaxis.org/api/auth/' xhrFields:{ withCredentials:true } });

[janakapdj]

@robotdan could you help me with this

[robotdan]

and also I would like to know does fusion auth support to external https request

Are you asking if we support AJAX inside of a lambda function? Currently we do not support this. ( see https://github.com/FusionAuth/fusionauth-issues/issues/267 )

Also, enable debug in your SAML configuration and capture the Debug event log.

Can you provide any related Error or Debug event logs that are produced?

content_script.js:62 LEVEL: ERROR | MODULE: LEAKED_CREDENTIALS | SESSION: ac1cc6e9 | MESSAGE: "CryptoJS.SHA256 is not a function" | PARAMS: {}

This is not part of FusionAuth, is this crypto-js ?

https://www.npmjs.com/package/crypto-js https://stackoverflow.com/questions/51953592/sha256-is-undefined

[janakapdj]

Hi,

thanks for your reply ;)

When click on Login With Sisense button it shows XML content 
Can you provide any related Error or Debug event logs that are produced?

here not generate any event log I have enabled debug on application and SAML configurations too for your reference I have attached screen recorder I check in docker log file too that also not create any log entry

as second part I am working on a implement react/node app to enable SSO with fusion-auth/sisense i found npm package "fusionauth-node-client" but its not seems not support for SSO can you give me some reference for this also ?

[robotdan]

Here is the node client link in NPM, https://www.npmjs.com/package/@fusionauth/node-client

This library provides access to our APIs, SSO is user agent based (web browser) so the only part that you'll need to use in this library is the exchangeRefreshTokenForJWT method.

In your screen capture it looks like your redirect is to /samlv2/{id}, this is the Entity Id URL for the SAML IdP configuration. If you want to log into another SAML IdP you want to use the Service Provider configuration. This is under Settings --> Identity Providers.

You want to use the redirect for the SAML SP configuration. Click on "view" in Settings --> Identity Providers for your SAML configuration. You should see the ACS url. It will end in samlv2/acs.

If you want FusionAuth to act as a SAML IdP then you want to use the SAML configuration in your Application configuration. In your screenshot your clicking the Login with SAML button which I assume means you want to log into Sisense via SAML v2.

[janakapdj]

I try node client but I was unable to find a exmple/document for node client exchangeRefreshTokenForJWT method usage with SSO.

• @param {RefreshRequest} request The refresh request.
• @return {Promise<ClientResponse>} A Promise for the FusionAuth call. */ exchangeRefreshTokenForJWT: function(request) { return new Promise((resolve, reject) => {

my concern is, since SSO handle byFusion auth When no one is log in (sisense/or Node app ),user try to log with any application first time it should redirect Fusion auth login ? and second one not need to login again and it should automatically redirect to dashboard but ,... i my case with node client authentication is success but still Sisense (configured with SAML) redirecting to login screen but it should be redirecting to sisense dashboard . is there any additional configurations to do ? or its not possible to do SSO with node client ? because its make authentication through API ?

node client code use for log in: const obj = { 'loginId': 'testmail@mail.com', //req.query.user, 'password': 'xxxxxxxxxx',//req.query.password, 'applicationId': applicationId }; client.login(obj) .then(function(clientResponse) { }

[robotdan]

I may have mispoke, it looks like the Node client doesn't have the method I was thinking of.. here is the endpoint you can call it via Node relatively easily. https://fusionauth.io/docs/v1/tech/oauth/endpoints#complete-the-authorization-code-grant-request

i my case with node client authentication is success but still Sisense (configured with SAML) redirecting to login screen but it should be redirecting to sisense dashboard . is there any additional configurations to do ? or its not possible to do SSO with node client ? because its make authentication through API ?

This is correct, as I've stated several times, when you use our API you are not using our SSO. You need to use our login pages for SSO to work how you'd like.

Using our login pages instead of building it in your app is a better strategy for security, and effort on your end as well. You should be able to theme our login to look just like your site.

For reference https://fusionauth.io/articles/logins/types-of-logins-authentication-workflows

[janakapdj]

Hi robotdn,

i am working on authenticated node appliction with oAuth when its try to get toke with authnticated code i get below

{error: "invalid_client",…} error: "invalid_client" error_description: "Client authentication missing as Basic Authorization header or credentials in the body (or some combination of them)." error_reason: "client_authentication_missing"

Axios post : Request URL: http://10.197.55.100:9011/oauth2/token Request Method: POST Status Code: 401 Remote Address: 10.197.55.100:9011 Referrer Policy: no-referrer-when-downgrade Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: http://localhost:3000 Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow-Credentials Content-Length: 213 Content-Type: application/json;charset=UTF-8 Date: Wed, 16 Oct 2019 12:02:24 GMT Vary: Origin Provisional headers are shown Accept: application/json, text/plain, / Content-Type: application/x-www-form-urlencoded Origin: http://localhost:3000 Referer: http://localhost:3000/Authenticated?code=2BKjKK9195Vl-PBNujcRUAKA18Its3hGyvIasENrVgQ&locale=en_US&userState=Authenticated User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 client_id: c6bcfb81-7387-4448-92fe-979fbc183864 code: 2BKjKK9195Vl-PBNujcRUAKA18Its3hGyvIasENrVgQ grant_type: authorization_code redirect_uri: http://localhost:3000/Authenticated

Js code

        let apiUrl = AppConfig.fusionAuthBaseUrl +'/oauth2/token'; 
        let data = 'client_id='+AppConfig.fusionApplicationId+'&code='+fusionAuthCode+'&grant_type=authorization_code&redirect_uri=http://localhost:3000/Authenticated';

        let headers = {
            'Content-Type': 'application/x-www-form-urlencoded',
        };
        return axios.post(apiUrl, data, { headers }
            ).then((response) => {
                console.log(response);
            }).catch(err => {
                errors.loginErrors = "Login failed.";
                this.setState({ errors: errors, loading: false });
            });

[robotdan]

Have you reviewed the Token endpoint doc? https://fusionauth.io/docs/v1/tech/oauth/endpoints#complete-the-authorization-code-grant-request

You either need to provide and Authorization header or disable client authentication for this FusionAuth Application.

[robotdan]

I think there are a bunch of issues we're working through on this single ticket so it is difficult to follow where we are at.

I'll close out this issue, and open a new issue if you still need assistance with a specific problem.