Can FusionAuth federate to itself?



  • If I am running multiple FusionAuth instances, can one be a SAML IdP and another be the SAML SP?



  • Yes. You'd need to configure each instance correctly, but this can be done.



  • Here's how I set up FusionAuth as a SAML IdP (idp.fusionauth.io) and added a 'Login with SAML' button on a FusionAuth instance (local.fusionauth.io). Both servers are running 1.24.0. I do have multiple tenants in both local and demo, but both applications are in the default tenant. (Setting up these servers locally is possible, but beyond the scope of this post.)

    • Created a RSA 256 keypair on idp.fusionauth.io in key master (saml test)
    • Created a RSA public key and imported the saml test public key into key master on local.fusionauth.io
    • Add POST as an allowed CORS method in the local.fusionauth.io settings, with an allowed origin of https://idp.fusionauth.io.
    • Created an application (samlsp) in local.fusionauth.io. Added a oauth redirect url to the application.
    • Created an application (samlidp) in idp.fusionauth.io. Added a oauth redirect url to the application.
    • Configured samlidp application with the following values:
      • enabled SAML on the SAML tab
      • set the issuer to https://example.com
      • added an authorized redirect url: https://local.fusionauth.io/samlv2/acs
      • set the response signing key to 'saml test'. All other response fields are default.
    • Configured a SAML identity provider on local.fusionauth.io
      • name: idpfusionauth
      • IdP endpoint: https://idp.fusionauth.io/samlv2/login/a743e2cd-55bb-789c-b076-8846fdd3a51f ( pulled from the applications details screen of the samlidp application)
      • use nameid for email: true
      • verification key: use the certificate of the aforementioned saml test public key (not the public key!)
      • use post method: false
      • sign request: false
      • applications: samlsp enabled and registration enabled
    • Updated the issuer on the samlidp application SAML screen. Set the issuer to https://local.fusionauth.io/samlv2/sp/dfd114b9-7b57-446d-8f60-ec6689f47da4. This value is pulled from the local.fusionauth.io SAMLv2 Identity Provider details. Note that you may need to trim this value, as when you copy it there may be spaces in front or behind, and if you don't remove them, you'll see a The AuthnRequest contained an invalid issuer message.

    By following these steps, when you open up an incognito window and go to the login page of the samlsp application, you will see a 'login with saml' button, and then you can login with that.


Log in to reply
 

Looks like your connection to FusionAuth Forum was lost, please wait while we try to reconnect.