Hi Dan,
Thanks - I've created a ticket here:
https://github.com/FusionAuth/fusionauth-issues/issues/822
Regards
Brad.
Hi Dan,
Thanks - I've created a ticket here:
https://github.com/FusionAuth/fusionauth-issues/issues/822
Brad.
In case anyone else would like to do the same, I have found a solution which I have detailed here:
https://github.com/FusionAuth/fusionauth-issues/issues/822#issuecomment-680172776
Would it be possible (eg, with some kind of LAMBDA) so that when a user logs in, the LAMBDA can check what groups the user is a member of, and automatically create the app registrations for the app they are trying to access?
The LAMBDA can then create any app-specific usernames, if required. But I'm not sure if the LAMBDA has access to group membership info?
Hi,
I'm not 100% sure how groups are meant to be used in FusionAuth.
I've created a group, assigned it application roles, and put users in the group, but the user still needs to register for the application - is it not possible for app registrations to be inferred from the groups app roles?
I suspect its more a case of me not understanding something.
Thanks for any help offered.
Brad.
Hi Dan,
Is there a formal / supported way for us to write our own pages & logic and integrate it within the same FusionAuth installation?
For example, is there a directory we can place additional WAR files in? Or Java API's that we can use to create our own plugins?
Brad.
Hi all,
We have a requirement where a specific application has additional security requirements - specifically that MFA MUST be used before a user can access it.
Is it possible that the first time a user tries to log in, that they are automatically taken to the page were they need to enrol / configure the Google (or other time-based) MFA app?
Example:
User logs in, is redirected to the QR code page where they need to configure Google Authenticator (or another app), then they are allowed access to the SAML application.
Thanks in advance
Hi,
Is the code for io.fusionauth.app.action.samlv2.LoginAction available as open source? I'd like to implement the missing POST method - it appears that the GET method is implemented, but not POST.
I've found some SAML-related bits on github (https://github.com/FusionAuth/fusionauth-samlv2) but not this class.
Hi Dan,
We are using FusionAuth as the IDP. Its already acting as an IDP for another application, but this app is not playing ball.
I'm afraid I'm not able to name the application, but its a web-based cyber security app that has documented support for Okta, Google and ADFS as the IDP, but we are trying to get it to work with FusionAuth. I'm sure it will be possible, but we need to understand what the above error means.
I've checked the CORS settings and they are fine - we've wild-card allowed CORS requests just as a test, and included POST (among others) as allowed requests.
Brad.
In case anyone else would like to do the same, I have found a solution which I have detailed here:
https://github.com/FusionAuth/fusionauth-issues/issues/822#issuecomment-680172776
Hi there,
I have an application that only supports SAML POST bindings, and I"m trying to integrate it with FusionAuth.
I'm getting the following error when I try to log in to my app. The app sends the POST request to FusionAuth, but all I get back is
HTTP ERROR 405
HTTP/1.1 405
Date: Wed, 26 Aug 2020 09:46:08 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Access-Control-Allow-Origin: https://XXXXXX
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow-Credentials
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
In the server logs (fusionauth-app.log) I get a single line:
Aug 26, 2020 10:41:30.865 am WARN org.primeframework.mvc.action.DefaultActionMappingWorkflow - The action class [io.fusionauth.app.action.samlv2.LoginAction] does not have a valid execute method for the HTTP method [POST]
The SAML request that gets sent in the POST request is:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="https://XXXXXX/api/auth/saml2/handle-assertion"
Destination="https://XXXX.cybanetix.com/samlv2/login/863a8e18-7ae4-8ad7-4fa0-3e9e02a36525"
ForceAuthn="false"
ID="a58686e0-6743-4a74-9af1-d3d5a21a6b75"
IsPassive="false"
IssueInstant="2020-08-26T08:31:36.303Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://XXXX/api/auth/saml2/login</saml2:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
<saml2p:RequestedAuthnContext Comparison="exact">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>
This looks well-formed to me, the ACS looks good and matches the config in the application, as does the Login URL etc.
Any help will be greatly appreciated.
--
Brad.
Hi Dan,
Thanks - I've created a ticket here:
https://github.com/FusionAuth/fusionauth-issues/issues/822
Brad.