Can FusionAuth federate to itself?
-
If I am running multiple FusionAuth instances, can one be a SAML IdP and another be the SAML SP?
-
Yes. You'd need to configure each instance correctly, but this can be done.
-
Here's how I set up FusionAuth as a SAML IdP (
idp.fusionauth.io
) and added a 'Login with SAML' button on a FusionAuth instance (local.fusionauth.io
). Both servers are running 1.24.0. I do have multiple tenants in both local and demo, but both applications are in the default tenant. (Setting up these servers locally is possible, but beyond the scope of this post.)- Created a RSA 256 keypair on
idp.fusionauth.io
in key master (saml test
) - Created a RSA public key and imported the
saml test
public key into key master onlocal.fusionauth.io
- Add POST as an allowed CORS method in the
local.fusionauth.io
settings, with an allowed origin ofhttps://idp.fusionauth.io
. - Created an application (
samlsp
) inlocal.fusionauth.io
. Added a oauth redirect url to the application. - Created an application (
samlidp
) inidp.fusionauth.io
. Added a oauth redirect url to the application. - Configured samlidp application with the following values:
- enabled SAML on the SAML tab
- set the issuer to
https://example.com
- added an authorized redirect url:
https://local.fusionauth.io/samlv2/acs
- set the response signing key to 'saml test'. All other response fields are default.
- Configured a SAML identity provider on
local.fusionauth.io
- name: idpfusionauth
- IdP endpoint:
https://idp.fusionauth.io/samlv2/login/a743e2cd-55bb-789c-b076-8846fdd3a51f
( pulled from the applications details screen of thesamlidp
application) - use nameid for email: true
- verification key: use the certificate of the aforementioned
saml test
public key (not the public key!) - use post method: false
- sign request: false
- applications:
samlsp
enabled and registration enabled
- Updated the issuer on the
samlidp
applicationSAML
screen. Set the issuer tohttps://local.fusionauth.io/samlv2/sp/dfd114b9-7b57-446d-8f60-ec6689f47da4
. This value is pulled from thelocal.fusionauth.io
SAMLv2 Identity Provider details. Note that you may need to trim this value, as when you copy it there may be spaces in front or behind, and if you don't remove them, you'll see aThe AuthnRequest contained an invalid issuer
message.
By following these steps, when you open up an incognito window and go to the login page of the
samlsp
application, you will see a 'login with saml' button, and then you can login with that. - Created a RSA 256 keypair on