RE: Enquiry Regarding FusionAuth Evaluation and Access Management Capabilities

@jay-saxophone383 I do believe you can get FusionAuth to work as you described here. Here are some links that may give you a little more detail.

SAML v2 with ADFS

OpenID Connect with Azure AD

Enabling Single Sign-On in an Organization

Product Update

As mentioned above, some of the features described are only available with paid planes and if you need to test them out, you will want to contact FusionAuth and see what can be worked out.

@jay-saxophone383

Does FusionAuth provide an evaluation license to test its premium features for on premise?

As far as I know there is no license that allows you to test the premium features. If this is something you are interested, you may want to reach out to the sales team.

You can use the public sandbox instance, which has a valid license and access to all premium features. No credit card or account is required. However, be aware that any data you enter is public and the environment is reset regularly, so your changes will not persist.

Is there something specific (a feature/use case) that you are interested in and how it works?

Does the solution offer robust capabilities to collect and securely store detailed information about trusted user devices and activities during access management sessions?

Yes, in addition to general logging there are numerous webhooks that allow you to consume JSON messages emitted from FusionAuth events.

This information is crucial for tracking audit trails and performing analytics, particularly in the following areas:

a) Device Information
    i) Various device types and models

Yes

ii) Popular operating systems across desktop and laptop platforms (e.g., Windows, macOS, Linux, ChromeOS) and mobile platforms (e.g., Android, iOS, others)

Yes

iii) Security posture details, such as antivirus software and posture checks

I'm not sure what you mean with this question. FusionAuth does have Advanced Threat Detection available. Is that what you are talking about?

b) Comprehensive Reporting
    Ability to track all access management activities, including login times, accessed resources, actions performed, user activity patterns, and associated geographic locations

FusionAuth has a few views you can look at to see such information (like the dashboard below), but between the webhooks and API access you should be able to collect, organize and view the data the way you would need to.

This is an example of the dashboard with some of the advanced features enabled.

Here is an example from a successful login webhook.

{
  "event" : {
    "applicationId" : "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
    "authenticationType" : "PASSWORD",
    "connectorId" : "e3306678-a53a-4964-9040-1c96f36dda72",
    "createInstant" : 1747952916005,
    "id" : "fbeb32bc-0a98-4835-800e-7b0b5aa75523",
    "info" : {
      "deviceName" : "macOS Chrome",
      "deviceType" : "BROWSER",
      "ipAddress" : "192.168.147.1",
      "userAgent" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36"
    },
    "ipAddress" : "192.168.147.1",
    "linkedObjectId" : "00000000-0000-0000-0000-000000000001",
    "tenantId" : "d7d09513-a3f5-401c-9685-34ab6c552453",
    "type" : "user.login.success",
    "user" : {
      "active" : true,
      "birthDate" : "1981-06-04",
      "connectorId" : "e3306678-a53a-4964-9040-1c96f36dda72",
      "data" : {
        "favoriteColor" : "chartreuse"
      },
      "email" : "admin@example.com",
      "firstName" : "Dinesh",
      "id" : "00000000-0000-0000-0000-000000000001",
      "insertInstant" : 1736377123822,
      "lastLoginInstant" : 1747952916005,
      "lastName" : "Chugtai",
      "lastUpdateInstant" : 1746139865421,
      "memberships" : [ ],
      "passwordChangeRequired" : false,
      "passwordLastUpdateInstant" : 1746139893637,
      "preferredLanguages" : [ ],
      "registrations" : [ {
        "applicationId" : "ec526002-35cc-4e6e-8f5b-0e4fba2b08c8",
        "data" : { },
        "id" : "b2e3f755-1b1f-44f5-92ff-e6a41fa3eb12",
        "insertInstant" : 1745098563132,
        "lastLoginInstant" : 1745279910748,
        "lastUpdateInstant" : 1745098563132,
        "preferredLanguages" : [ ],
        "roles" : [ ],
        "tokens" : { },
        "usernameStatus" : "ACTIVE",
        "verified" : true,
        "verifiedInstant" : 1745098563132
      }, {
        "applicationId" : "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
        "data" : { },
        "id" : "53635379-6b65-47c0-a593-579f1e0340ec",
        "insertInstant" : 1736377123867,
        "lastLoginInstant" : 1747952916005,
        "lastUpdateInstant" : 1736377123867,
        "preferredLanguages" : [ ],
        "roles" : [ "admin" ],
        "tokens" : { },
        "usernameStatus" : "ACTIVE",
        "verified" : true,
        "verifiedInstant" : 1736377123867
      } ],
      "tenantId" : "d7d09513-a3f5-401c-9685-34ab6c552453",
      "twoFactor" : {
        "methods" : [ ],
        "recoveryCodes" : [ ]
      },
      "usernameStatus" : "ACTIVE",
      "verified" : true,
      "verifiedInstant" : 1736377123822
    }
  }
}

Hope this answers your questions.

@robin-singh said in Getting 403 : disallowed_useragent with Google Auth:

We have android/iOS app where authentication redirects to fusionauth login page.
And here we have Facebook/Google login setup.
Facebook and native login is working fine but with Google login getting Error 403: disallowed_useragent.

Is there any way to directly open sign in for google which will send data to fusion auth only.

Are you trying to open the login in your application? Maybe try to use the system browser to up the Google login and see if that works. Google disallows OAuth login flows inside embedded web views (like those used in many mobile apps).

This is not available today without some glue code.

Currently our suggestion is to use Javascript on the Login page to jam the claim into a meta field that is shown on a Webhook payload, like jamming stuff into event.info.deviceDescription .

Then you create user.login.success webhook, making sure it is transactional. On login, the event is fired that off to your system and then you extract the claim off the event.info.deviceDescription field and make a PATCH call to FusionAuth. In that PATCH call, you add this to a field on user.data.x.

Then once that PATCH is successful, the 200 response back to the user.login.success event which completes the login and triggers the JWT populate lambda. That lambda extracts the claim off the user.data.x field and puts it into the JWT.

It's not pretty but it is the only way to have this work for now. (For self-service registration you can use a custom hidden field, much easier.)

Relevant docs:

• https://fusionauth.io/docs/extend/code/lambdas/jwt-populate
• https://fusionauth.io/docs/extend/events-and-webhooks/events/user-login-success
• https://fusionauth.io/docs/apis/users#update-a-user

How can I add in custom claims in to the JWT based on a custom login field or other parameters on the login form?

I have a parameter/variable that can change between each login (like a device id) and want it to be in the access token.

@d-chinguun-0301 No problem. Glad you figured it out. No need for apologies, if you were confused others may be as well. Now when they search here, they will have an answer. Have a great one

This is possible in a couple of ways.

First, to allow users to register for an application on login, you need to turn on self-service registration. From the docs:

When you enable self-service registration for an application and a user who does not have a registration for that application successfully logs in to that application, the user will automatically be registered for that application, and have a registration added.

Then the question becomes, how can you disable the hosted login pages self-service registration form?

To do so, take the following steps:

• update your theme to remove the link to the "Don't have an account? Create one" link from any pages, including the login page. You can also remove all the content from the registration themed page and replace it with not implemented or similar. However, a sinister user may still be able to post to the register endpoint and create a user
• if you are self-hosting, block access to the /register endpoint using a proxy
• if you are not self-hosting, prevent self-service registration by adding an encrypted secret value to all user accounts you create via the API. Then, create self-service registration validation lambda which will examine the user object. If the user object comes through without the secret value, fail the registration. Otherwise allow it through because it is a user who has logged in.

The self-service lambda may not fire unless there are required fields on the registration form, but that behavior is undocumented and may change.

I want to allow users to freely be registered to any number of applications simply by logging in, but not be able to use the self-service registration form to create user accounts (so I don't want them to be able to use the self-service registration form provided by the hosted login pages).

I'll create all user accounts using the User API.

Is there any way to do this?

inspired by this github issue

@d-chinguun-0301 can you give us some example code of what you are trying to do? What API are you using and how are you trying to cancel the call?

If you go look at https://fusionauth.io/docs/ and scroll to the bottom, you'll see a new section called 'Download docs'.

This takes you to fusionauth.io/docs/llms-full.txt which is all of our documentation (5MB!) in one file so you can upload it to your favorite LLM and query it.

Hope you all find it useful.