Hiya @priyankakumari3058

I'm not sure you're posting in the right forum. This forum is for questions and discussion about FusionAuth, not kibana.

I think you might want the elasticsearch forums: https://discuss.elastic.co/

Hope that helps.

@dan Thanks it worked !

My first question is a) when I setup the dashboard on server A. Can I assume that all the servers (behind a load balancer) will get the same configuration?

You need to distribute the configuration file or the environment variables yourself. You could scp the configuration file to each server, for example.

b) I want to make sure that FA is using the RDS database and not a local one in each docker container. How can I prove to myself that FA is using the RDS?

I'm not sure how you installed this, but you could remove postgresql from the docker-compose file. You can also shut down the RDS instance and see if FusionAuth fails.

You can also look for a line in the startup log file that looks like this:

fusionauth_1 | 2021-02-02 9:23:53.070 PM INFO com.inversoft.jdbc.hikari.DataSourceProvider - Connecting to PostgreSQL database at [jdbc:postgresql://db:5432/fusionauth]

This line is connecting to a local postgresql database, but you should see the configuration value pointing to the RDS hostname in yours.

So I just finished writing up an SSO document (not yet published, in review) and SSO and refresh tokens are orthogonal. Refresh tokens are used when you have a client who wants to get a new JWT, and SSO is used to transparently log a user in when you are using the hosted login pages.

So I wouldn't worry about the refresh token appearing or disappearing.

... handling SSO in my application but looks like my SSO session is dropped after some short time ~1h, but Session timeout for the tenant is set to 10 days

What does the fusionauth.sso cookie have for the maxage/expires value?

Does this happen regularly, or intermittently? It looks like some kind of SSL issue from the stacktrace, but I'm afraid I don't have any experience with this configuration.

Another troubleshooting approach would be removing components to see if that changed the behavior.

Or you could also search for interactions between Hikari (the java connection pooling system FusionAuth uses) and haproxy.

Sorry I don't have a better answer for you. Please let us know what you end up finding out!

Can you please provide more details?

What you are trying to do? A step by step explanation would be really helpful for anyone trying to understand what problem you ran into.

Thanks,
Dan

@robertom

I'm not quite sure how to answer your question without more details. If you want to use FusionAuth as an external directory, you could encrypt sensitive data and store it on the user or registration objects. While there is built in support for managing keys you'd have to build the actual encryption logic yourself; you can't mark a user field to be 'extra encrypted' in FusionAuth at this time.

That might be an interesting feature; feel free to file a feature request with more details.

Two ideas:

Does it help to specify the key id when creating your test SymmetricSecurityKey? var key = new SymmetricSecurityKey(Encoding.ASCII.GetBytes( "My secret from application config" ) ) { KeyId = "Your Key Id" }; You don't specify which algorithm you're using to sign your tokens. If you're using SymmetricSecurityKey, ensure you're using an symmetric algorithm to sign your tokens.

I'm not sure what is going on, but my guess is that the cookies are shared locally (cookies are shared across ports), which is why things are working.

If you are trying to pass information from when someone logs in to after they are logged in, through the oauth flow, you should look at the state parameter. There's some information on doing that here: https://fusionauth.io/community/forum/topic/165/taking-a-user-directly-to-the-registration-page?_=1610507951768 but I'm not sure how it integrates with whatever library you are using. I'd consult the docs for that lib.

re: #1, please see my answer here: https://fusionauth.io/community/forum/topic/12/can-i-configure-the-inactivity-timeout-of-the-fusionauth-session-cookie?_=1610490171675

re: #2 I forwarded your message on to the team and someone should be reaching out about support options.

Thanks!

Ah, great. Yes, if you are running both the database and FusionAuth, you need more memory. If you are running elasticsearch too, you'll need even more.

@tony

Glad you were able to figure it out. I'm not aware of any other way to access the identity provider id from the response, but that does seem to solve your problem, correct?

Please feel free to file a feature request more clearly outlining your use case and proposed ideal solution.

It looks like the type of audiences is a set of strings, so I wouldn't expect any complex elements.

The docs say that this field is:

[a] list of the audiences for this SAML response. By default, the issuer or audience from the form are used.

This is not super clear to me, so I filed a PR against the docs to make it clearer: https://github.com/FusionAuth/fusionauth-site/pull/376

This looks to be a bug. Tracking here: https://github.com/FusionAuth/fusionauth-issues/issues/1067

Thanks for letting us know.