FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
91 stars 12 forks source link

Add support for InCommon Federation #668

Open jayaimzzzDM opened 4 years ago

jayaimzzzDM commented 4 years ago

Add support for InCommon Federation

Problem

As an SP (service provider), I would like to create and register one entityId (and its metadata, certs, etc.) and have it be accessible to be used by multiple IdPs (Identity Providers) that are registered with InCommon.

When trying to add the SP metadata generated by FusionAuth to InCommon, it is tied to just one IdP. The metadata is also missing the required signing and encryption certificate (needs to be x509 in PEM format).

When a user attempting to authenticate clicks on their IdP to use, FusionAuth redirects to the IdP and provides an entityId. This entityId ends with the id of the FusionAuth Identity Provider configuration. This configuration contains the IdP endpoint. Thus each IdP created in FusionAuth gets its own SP entityId.

Solution

As an SP, I can create one SP entry for InCommon Federation consumption in FusionAuth by creating a name and also selecting a signing key to use. This entry will create an entityId and metadata that I can then register with InCommon. I can then add entityIds of IdPs which are registered with InCommon that I can use for SSO. This one SP entry can be used by multiple IdPs. FusionAuth needs to fetch the certs and SSO endpoints for each IdP from InCommon.

Alternatives/workarounds

Since SAML IdP integration is straight forward with FusionAuth (many thanks!), my plan was to build a service that fetched all IdP metadata from InCommon daily, parsed the XML to retrieve the certs and endpoints, used the API to upload the certs to FusionAuth, get the id of the cert, used the API to create a new Identity Provider within FusionAuth. Having to register unique SP metadata with InCommon for each IdP we use defeats the purpose of using InCommon over a standard SAML integration.

Additional context

The InCommon Federation is a collection of SAML metadata between trusted partners. https://spaces.at.internet2.edu/display/federation/

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

mooreds commented 6 months ago

@jayaimzzzDM did you end up implementing your workaround?