RE: Using PKCE with Client Authentication Disabled

@calumhall96 I didn't want you to think no one was looking at your post. I am not familiar with this set up so it is going to take me a while to check it out. In the mean time, if anyone has any ides, please speak up.

@Scot Woo-hoo, glad you got rollin'!

@otislinker345 I believe the 'verify' is to make sure it is a valid JWT indicates the signature is valid and the payload has not be tampered with. You will need to look at the roles in a valid JWT to determine if a user has that role.

@Scot Great! Well great that you were able to get it to run and we have isolated the issue. Not great in that it still won't run. How did you create your certificate? I did notice in the help that it requires it to be in a specific format. One time I created a cert and I don't think it was in the right format and it just hung. From the documentation, we need to make sure the private-key-file is in the PKCS#8 PEM format.

.

@cluong Hmm, Just to verify, when you submit the data, do you get a URL that looks similar to this?
https://sptest.iamshowcase.com/ixs?idp=581409a977a79eb0f979f2f591204c8f69f0f334

It does not surprise me that the WebAuthN Wizard would fail if we cannot get the url provided to work.

For clarification, it is my understanding that iamshowcase is the SP in this test case and FusionAuth is the IDP. I never used the "Initiate login URL" when setting up the SP initiated SSO.

For the record, if I enable "Enable IdP initiated login" from the SAML tab of the Application, I too am able to see the federated page.
When setting up the SP initiated SSO, I do not use the url provided by "Initiate login URL."

Would you be able to share the Metadata URL or the xml that it produces? Could you also share a copy of your Application -> SAML tab configuration. (feel free to mark it up and hide any information you do not want public.) If that does not work for you, I suggest setting up a test instance so you can share some more detail so we can get this working for you. Also, what version of FusionAuth are you working with?

@Scot OK, I got this fully working. This is going to be a long post, but I will try to be as detailed as possible. I would recommend testing with this and see if you can get it going. I did a lot of testing and one of the things I noticed was that the keys have to be in the right format. I would get it running like this. Then substitute your keys and see if it works. If not, there may be something off with them. Let me know how it goes.

And I will say this for anyone reading. DO NOT USE THE CERTS IN THIS POST IN PRODUCTION. I WOULD NOT EVEN USE IT BEYOND THIS INITAL TEST. THE WHOLE WORLD CAN SEE THE PRIVATE KEY.

Step 1: Install and run OpenSSL (I just added C:\Program Files\Git\usr\bin\ to my Path) openssl.exe

Step 2: Generate the root private key
(Running Powershell as Administrator)
I created a new folder under the C:\fusionauth folder named "cert"
cd C:\fusionauth\cert
Ran this command
openssl genrsa -out fatest5.key 4096

Step 3: Create a self-signed certificate
in the C:\fusionauth\cert folder run this command:
openssl req -x509 -new -addext "subjectAltName=DNS:localhost,DNS:.localhost,IP:10.0.0.1" -nodes -key fatest5.key -days 3650 -out fatest5.pem*

Note:
The first time I ran this, I received "Can't open "C:\Program Files (x86)\PostgreSQL\psqlODBC\etc\openssl.cnf" for reading, No such file or directory"

I executed the following and then retried creating the certificat i.e. openssl req ....
needed $env:OPENSSL_CONF = ''

I was asked for some input and here are the values I used. I image you could enter whatever you want.

---

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CO
Locality Name (eg, city) []:Denver
Organization Name (eg, company) [Internet Widgits Pty Ltd]:FATest
Organizational Unit Name (eg, section) []:FATestUnit
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:none@example.com

Step 4: Verify the following files exist
C:\fusionauth\cert\fatest5.key (See Below for text of files from my example)
C:\fusionauth\cert\fatest5.pem (See Below for text of files from my example)

Optional Step 4.5
Import C:\fusionauth\cert\fatest5.pem to your Trusted Root Certification Authorties

This is not required but your browser may complain that the certificate is invalid when you go to check running site. The scope of the import is beyond this issue, but if you need help doing so just let me know.

Step 5: Edit Config file (I used Notepad++)
C:\fusionauth\config\fusionauth.properties (full text below)

fusionauth-app.https.enabled=true
fusionauth-app.https.port=9013
fusionauth-app.https.certificate-file=C:\\fusionauth\\cert\\fatest5.pem
fusionauth-app.https.private-key-file=C:\\fusionauth\\cert\\fatest5.key
fusionauth-app.https.certificate=
fusionauth-app.https.private-key=

Step6: Start FusionAuth
PS C:\fusionauth\bin> .\startup.ps1

A small note, when using the cert, the spin up time took a bit longer, up to a couple of minutes.

Step 7: Verify
Visit https://locaIlhost:9013

More Notes
It took a while to realize that it took longer to spin up with the https enabled.

with it disabled the log looks a bit like this.

2025-01-10 03:55:40.318 PM INFO  io.fusionauth.app.primeframework.FusionHTTPContextAuthSetup - Initializing the FusionAuth HTTP Context.
2025-01-10 03:55:40.727 PM INFO  org.primeframework.mvc.PrimeMVCRequestHandler - Initializing Prime
2025-01-10 03:55:40.729 PM INFO  org.primeframework.mvc.PrimeMVCRequestHandler - Initializing Prime
2025-01-10 03:55:40.729 PM INFO  io.fusionauth.http.server.HTTPServer - Starting the HTTP server. Buckle up!
2025-01-10 03:55:40.738 PM INFO  io.fusionauth.http.server.HTTPServer - HTTP server listening on port [9011]
2025-01-10 03:55:40.739 PM INFO  io.fusionauth.http.server.HTTPServer - HTTP server started successfully
2025-01-10 03:55:40.739 PM INFO  io.fusionauth.http.server.HTTPServer - Starting the HTTP server. Buckle up!
2025-01-10 03:55:40.741 PM INFO  io.fusionauth.http.server.HTTPServer - HTTP server listening on port [9012]
2025-01-10 03:55:40.741 PM INFO  io.fusionauth.http.server.HTTPServer - HTTP server started successfully

Notice the HTTP server listening on the ports almost directly after the Initalizing the FusionAuth HTTP Context event.

with https enabled the log looked more like this.

2025-01-11 10:42:30.965 AM INFO  io.fusionauth.app.primeframework.FusionHTTPContextAuthSetup - Initializing the FusionAuth HTTP Context.
2025-01-11 10:42:31.460 AM INFO  com.inversoft.maintenance.db.JDBCMaintenanceModeDatabaseService - [6TjvHw] Database Version [1.55.1]
2025-01-11 10:42:31.476 AM INFO  com.inversoft.maintenance.db.JDBCMaintenanceModeDatabaseService - [6TjvHw] Latest Migration Version [1.55.1]
2025-01-11 10:42:31.492 AM INFO  io.fusionauth.app.guice.FusionAuthModule - 

---------------------------------------------------------------------------------------------------------
--------------------------------- Starting FusionAuth version [1.55.1] ----------------------------------
---------------------------------------------------------------------------------------------------------

2025-01-11 10:42:32.025 AM INFO  io.fusionauth.api.plugin.guice.PluginModule - No plugins found
2025-01-11 10:42:32.437 AM INFO  io.fusionauth.api.service.system.NodeService - Node [0de0a155-c322-431a-bb37-7dd5f8920846] started.
2025-01-11 10:42:33.547 AM INFO  io.fusionauth.api.configuration.DefaultFusionAuthConfiguration - Loading FusionAuth configuration file [C:\fusionauth\config\fusionauth.properties]
2025-01-11 10:42:33.562 AM INFO  io.fusionauth.api.configuration.DefaultFusionAuthConfiguration - Dynamically set property [fusionauth-app.url] set to [http://10.211.55.3:9011]
2025-01-11 10:42:33.562 AM INFO  com.inversoft.configuration.BasePropertiesFileInversoftConfiguration - 
  - Overriding default value of property [database.mysql.enforce-utf8mb4] with value [true]
  - Overriding default value of property [fusionauth-app.runtime-mode] with value [development]
  - Overriding default value of property [search.type] with value [database]

2025-01-11 10:42:33.562 AM INFO  com.inversoft.jdbc.hikari.DataSourceProvider - Connecting to PostgreSQL database at [jdbc:postgresql://localhost:5432/fusionauth]
2025-01-11 10:42:33.593 AM INFO  com.zaxxer.hikari.HikariDataSource - Database-background - Starting...
2025-01-11 10:42:33.690 AM INFO  com.zaxxer.hikari.HikariDataSource - Database-background - Start completed.
2025-01-11 10:42:37.990 AM INFO  com.inversoft.jdbc.hikari.DataSourceProvider - Connecting to PostgreSQL database at [jdbc:postgresql://localhost:5432/fusionauth]
2025-01-11 10:42:37.990 AM INFO  com.zaxxer.hikari.HikariDataSource - Database-primary - Starting...
2025-01-11 10:42:38.101 AM INFO  com.zaxxer.hikari.pool.HikariPool - Database-primary - Added connection org.postgresql.jdbc.PgConnection@58c42c8c
2025-01-11 10:42:38.101 AM INFO  com.zaxxer.hikari.HikariDataSource - Database-primary - Start completed.
2025-01-11 10:42:39.830 AM INFO  com.inversoft.jdbc.hikari.DataSourceProvider - Connecting to PostgreSQL database at [jdbc:postgresql://localhost:5432/fusionauth]
2025-01-11 10:42:39.846 AM INFO  com.zaxxer.hikari.HikariDataSource - Database-secondary - Starting...
2025-01-11 10:42:39.906 AM INFO  com.zaxxer.hikari.pool.HikariPool - Database-secondary - Added connection org.postgresql.jdbc.PgConnection@74431b9c
2025-01-11 10:42:39.906 AM INFO  com.zaxxer.hikari.HikariDataSource - Database-secondary - Start completed.
2025-01-11 10:42:41.065 AM INFO  com.inversoft.scheduler.DefaultScheduler - Starting up scheduler
2025-01-11 10:42:41.065 AM INFO  com.inversoft.scheduler.DefaultScheduler - Scheduler is running
2025-01-11 10:42:41.384 AM INFO  io.fusionauth.api.service.system.NodeService - Node [0de0a155-c322-431a-bb37-7dd5f8920846] added with address [http://10.211.55.3:9011]
2025-01-11 10:42:41.847 AM INFO  com.inversoft.search.ElasticRestClientHelper - Connecting to Elasticsearch at [http://localhost:9021]
2025-01-11 10:42:42.206 AM INFO  com.inversoft.search.ElasticRestClientHelper - Connecting to Elasticsearch at [http://localhost:9021]
2025-01-11 10:42:42.414 AM INFO  io.fusionauth.app.primeframework.FusionHTTPContextAuthSetup - Initializing the FusionAuth HTTP Context.
2025-01-11 10:42:42.774 AM INFO  org.primeframework.mvc.PrimeMVCRequestHandler - Initializing Prime
2025-01-11 10:42:42.774 AM INFO  org.primeframework.mvc.PrimeMVCRequestHandler - Initializing Prime
2025-01-11 10:42:42.774 AM INFO  org.primeframework.mvc.PrimeMVCRequestHandler - Initializing Prime
2025-01-11 10:42:42.774 AM INFO  io.fusionauth.http.server.HTTPServer - Starting the HTTP server. Buckle up!
2025-01-11 10:42:42.774 AM INFO  io.fusionauth.http.server.HTTPServer - HTTP server listening on port [9011]
2025-01-11 10:42:42.774 AM INFO  io.fusionauth.http.server.HTTPServer - HTTP server started successfully
2025-01-11 10:42:42.774 AM INFO  io.fusionauth.http.server.HTTPServer - Starting the HTTP server. Buckle up!
2025-01-11 10:42:42.789 AM INFO  io.fusionauth.http.server.HTTPServer - HTTP server listening on port [9012]
2025-01-11 10:42:42.789 AM INFO  io.fusionauth.http.server.HTTPServer - HTTP server started successfully
2025-01-11 10:42:42.789 AM INFO  io.fusionauth.http.server.HTTPServer - Starting the HTTP server. Buckle up!
2025-01-11 10:42:42.797 AM INFO  io.fusionauth.http.server.HTTPServer - HTTP server listening on port [9013]
2025-01-11 10:42:42.798 AM INFO  io.fusionauth.http.server.HTTPServer - HTTP server started successfully

Notice the delay between the Initializing the FusionAuth HTTP Context and HTTP server started successfully. Only about 12 seconds here, but in testing I saw longer too.

!You should never share your private key! I am no longer using it and deleting this key so I am not worried about sharing.!

//////////////////// fatest5.key contents Start /////////////////////

-----BEGIN PRIVATE KEY-----
MIIJQAIBADANBgkqhkiG9w0BAQEFAASCCSowggkmAgEAAoICAQC0QvlKHp/7NZAv
+FYHUa5ZmdafbN7d/OvqWGGNTlKebZT9t6iXgqU9AZgr7SlkoIrDr8iNFXCEb7N+
+2flCws7kCYq/IsZs2hjYy2K/6HH3xrjEvn772csR0CvR4AqEpq7dgBulKX0Y7MO
W4XWwohsd07ijScjySBcE9mPVsq95EIZiRZCEhfkdGblg9mArWuEgEaB38BeJeqi
lNE+1Rx5wyOW0mIdPd5C9vvkenX+KTd39fEZ27mxjpbIJ8Ue57kLERRoAoXtk5aL
0/bVAukvB4BZl2CZyOmMErTsIZyk5benQPPynoGXePNFWiaZ0sd0cb+7qWvnf7lo
HNcEAIvIMf+f1BA5acp37eyMu//UIUSQM7A46c7J9CD3sGhw3sFmpiCyA8PaCPN7
2XEvOAJwpprDCE91sR2BjUq7jK1SpL63px37Nw3iGKlvWqcl02KlJBvyU0ElrVUX
t7c8hToLa+GHjeDE1dgi7MH0wLfTLQsGbPpgtb9sVcM+PdWyYe+3XPM/rOe2K1ee
xIK9qM8nNQbjLsRPdkVx+/GvXbK1/w0qFuBKiZLaGlkRTnCfOTOGLMcWRizccsgB
alb5aFmAHY2tBZdow2siNl3iabh7ExwkXGH2lcVJIApHmQxZN02EMlQScQyANYKn
zw/LzQTykKkYFXqFoCydPKdU2OJLIQIDAQABAoICAAD0DJilmMDPwrzrtTQDxLpf
5L+GKEe0E/Dy3aV1Qkzo4UOOHVDLj71W0wnKrtQTwKceOKc1G4myQ+ioSodmuYUD
py2FlVRd/1+c73GBdob5qz0joVWBmaX9dJpGtG74hyemFSSQkf/8195b2d1h3Q4G
i6DpaGFNOcft4ZHzVnY2kQpMuCTCXuyqCE4m/lNCu4eNZH4Q53XyATOh2glRIAXl
dCSC1WKwZEq+LtTpiEKnT/YhG4DImYrWsU3CvtVJ+j+0k/MkvgXEmMSBmv/bdI1v
dqB2q1PF4RUQ52K7LuZ8+eWjM3UTTTX2dXImut738z7GkBodYEsOqQXDxwf0Cyky
H011gyGTQxiOPpuDUkCZtZRiu50nTAZU4aUGnMbwfUh9xdiWVs6V7Z8werbrVBeZ
yewQuAyi8uzaHDwBHXZlITm/Sw7N5CFjJPjhWkwTa9r3YcWmfGgIlhig5CSs8rq9
/BfBKZlJr17cpagaRV6O48IWShq35qNy3c4A1zVDmCAkAZ60/dwsGVye/CG0V1g4
ipQO16s8eku5cwrXfUCuLOxog8i9AgiGb92BF6QE6sRxuRuM1I6oF2CC5PWrOxXQ
422xxxRUYEZFZw/PN3zZA6UzLIh6ISTNbXh/qcwer9bRp3qKuOsCkJESICIrKgR8
pE9z1cGzFPTNCTOFq0gBAoIBAQDydXeAJuKW4oLEtbwFtVsSRIdDE1C1ItUg8X/N
Luu8ibq4IR0d2HMKeOv7ngeEJq7X95SCF4AI85ESzWaNfL+cIg3FaOx5MY4btKRA
W96Qip7BVQog3s3CiUjm/r0f/sCk+ISa6KkxASmgnQ9gTHLSrQJVFGzZhkuVzalZ
nZx64TJ70gEBQYKg7JeisPxJS1J6mkkc4C8eem/b8PAexnkId5rIcza2IbucqaNc
HirjyLge8VaOqwNDKxOB2M6U4lEkFaikoYHVi4CqTuOH5CJk/G6FXb1isM+rztkw
DfSlt5rYWPAiNrdSF1p5RC6D8aq0Q7aYsdVfJlwIOaimzVgBAoIBAQC+VD9oaSXI
4Kjyhz/tMO7Zo/vgJ+uSgYeIZRwQJh28+luKZ7zU0ycdWO/zUNFkICGjaVTIMaZN
kYQPayyfYPI/P/FOUAC4+CqzFTpk1SEbbMEsShpkzI0mLpnOR/KfE0/5R/pV78/p
IxvoNZt/yQHB1w0JeB+qYUNGzPBB2CBjpDFFqo/zi6y6JiyFvQbM0S2ne+C8TEJl
S5YJXtIyFr6wkdncJQOLmG0PaYj7y0BVe4a3H+S9XCR2Gl9LDOeKXNAJGWm3kZ/2
Z/tXyVEUERigdvCT+fqewnInVGQWAPoDBELeFseWKhG/SSIfYRUdLL5oGSQqzfjH
5D/fL5AV4fMhAoIBAH2E4oCtoNCMIzbC/rvVz3f9kijfbwDXL48Gdys6B0Br7QY1
3mT9EVFymHiCr1Fy1UFpIrDWiaoYrhoVy+mjk265EngIgaOcS/173yySYv5hRR7B
b6Tks5DqkZtEdZSCxiihn8SyfiSofWxw4uzvpuH6PyLcmB1ksOy0s995APF8dC41
4d9MktvMoBPRnEo1fFWMWh1g0gPtTsuGSEkmZrJDeRYcz04q2H2aNMATvhB+cRNT
zYO+dMnpGwg1vXzGTUtpCw1vr09mEQ4aGSDYshWluXHBvbHB50ECrN173BOOodMu
9+I+gVk2TdhJu+sCyWTZSUZzigrgSPTZJL51wAECgf8Dt6GFaIhUZA7orbuR5mLD
3XAN8LmpIt6Cy3bA2f26sykWivAlN/qLmDEXj3yHeBkwF96QCmg1G6J4qp80fbA9
jAIqhWV+N1qeJMv/LCp5XqZnNwtM7LHVDRPz83PJp5boR3+cLhLhes4QuvtOg56F
Kq4WgUIdEck+mMIYhyAa0hokQjCNkSzOdfBorEh1t6AspT6+br7dO5yykieI0ujm
ifK3WgG3uEJpCqaiRFX9VWxMJ1NQX3xW0i0KSjY7fZSSmOx3qWB2b5F5JXVv7uWM
PMZ2HWvHrgSMwBk0VNCNPogPzmIXjLrMAaGo+zxuVXFilxsduugg/1RAB63Iv6EC
ggEBAMQoK9aSSj76SvScSKqZ6KklRfgKtRE75o08jwsqrdim4JzSm8vXO1Nd1Tb3
eIE0LP0vH6NVTdOsPHutWe4JzBBJl+FerkW3XRA2t/+4csRXb/iAM3EJDIkNbgEQ
ehBooBQ1TdBMRFY+m5O/96Ae5rVjRTX21Yj59mv2yXX9eu/bT0dBnE/DPd//Be+R
v8F1dj+5sqjGsA442KdyBr9Sz7S16mj5NG7bArlrzKCRiVGBISrwHIYGjKAsNMEJ
1xg7G+9lgCHNyGVydZfyyBDBPdGgGPAwtQmdKklvxJUUMZFI+eDDZX5/KurZJqIs
eIgSvQOr5BiRYXkchX5HgLbp62c=
-----END PRIVATE KEY-----

//////////////////// fatest5.key contents End /////////////////////

//////////////////// fatest5.pem contents Start /////////////////////

-----BEGIN CERTIFICATE-----
MIIGGDCCBACgAwIBAgIUWo+uFVUo/mHgKg2zFKr3mYOmgU0wDQYJKoZIhvcNAQEL
BQAwgYYxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEPMA0GA1UEBwwGRGVudmVy
MQ8wDQYDVQQKDAZGQVRlc3QxEzARBgNVBAsMCkZBVGVzdFVuaXQxEjAQBgNVBAMM
CWxvY2FsaG9zdDEfMB0GCSqGSIb3DQEJARYQbm9uZUBleGFtcGxlLmNvbTAeFw0y
NTAxMTExNzE4MzhaFw0zNTAxMDkxNzE4MzhaMIGGMQswCQYDVQQGEwJVUzELMAkG
A1UECAwCQ08xDzANBgNVBAcMBkRlbnZlcjEPMA0GA1UECgwGRkFUZXN0MRMwEQYD
VQQLDApGQVRlc3RVbml0MRIwEAYDVQQDDAlsb2NhbGhvc3QxHzAdBgkqhkiG9w0B
CQEWEG5vbmVAZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQC0QvlKHp/7NZAv+FYHUa5ZmdafbN7d/OvqWGGNTlKebZT9t6iXgqU9AZgr
7SlkoIrDr8iNFXCEb7N++2flCws7kCYq/IsZs2hjYy2K/6HH3xrjEvn772csR0Cv
R4AqEpq7dgBulKX0Y7MOW4XWwohsd07ijScjySBcE9mPVsq95EIZiRZCEhfkdGbl
g9mArWuEgEaB38BeJeqilNE+1Rx5wyOW0mIdPd5C9vvkenX+KTd39fEZ27mxjpbI
J8Ue57kLERRoAoXtk5aL0/bVAukvB4BZl2CZyOmMErTsIZyk5benQPPynoGXePNF
WiaZ0sd0cb+7qWvnf7loHNcEAIvIMf+f1BA5acp37eyMu//UIUSQM7A46c7J9CD3
sGhw3sFmpiCyA8PaCPN72XEvOAJwpprDCE91sR2BjUq7jK1SpL63px37Nw3iGKlv
Wqcl02KlJBvyU0ElrVUXt7c8hToLa+GHjeDE1dgi7MH0wLfTLQsGbPpgtb9sVcM+
PdWyYe+3XPM/rOe2K1eexIK9qM8nNQbjLsRPdkVx+/GvXbK1/w0qFuBKiZLaGlkR
TnCfOTOGLMcWRizccsgBalb5aFmAHY2tBZdow2siNl3iabh7ExwkXGH2lcVJIApH
mQxZN02EMlQScQyANYKnzw/LzQTykKkYFXqFoCydPKdU2OJLIQIDAQABo3wwejAd
BgNVHQ4EFgQUdTsmjyz+jzHC3CP1UZSRiGJFwvUwHwYDVR0jBBgwFoAUdTsmjyz+
jzHC3CP1UZSRiGJFwvUwDwYDVR0TAQH/BAUwAwEB/zAnBgNVHREEIDAegglsb2Nh
bGhvc3SCCyoubG9jYWxob3N0hwQKAAABMA0GCSqGSIb3DQEBCwUAA4ICAQBL/vmn
NP8SgvzMG9fzePxhmLDM7DCI9lVOW3ArevNaYEpAqgCP7rig2c7zi3zoZJjckNhS
eB+ncewIjGqM31Hog1+tdRZMl1HyCFFU7GDLutg06qMW+U6apIhoqRo1QsVjzZKd
Xj6uc6eoeWllsM3V0SaSuPPX+WUiGJDYxr6vrhMU78DnbUgjS3WtteDMkmK/fIlj
e1hCU6vw/LjGO79lHV1JTsVrZKEdKPBtXReAKzJpdeLKkh170OSO6AvNKoWIqLB0
mNcJCXucui2SUJjIiUWl3dRAGHFhiGA0w9Wbv7KEq/SqSnrSKVOyalkP6YjmBh+J
J4intaiY0Ya8gbieGDY9jcq91zPb0VIqVVZxOSGEwxwfxGsvbVWheh0sbCyrFmsX
jiOcnqa7Kd+bh6X0vEaGknDOBWSInr+3BRqA8Co+QHFjCDn8LSe4X9dz1NzDbdS0
bFSknuwQhzW1ItxCSQBKADbKwi9ifh6hLhOL5KeNLcJCeHuBRC021qkQhpnSVesB
vChFuscELP+cdzJLypr3OTk1NS6/g0oo3BUHOdANHcoKfeJKfIZLTgmoRtqGWYZF
zgsDxPTZapCmruu/jkMFeLxJz66X9id3KUNI+wPRUnaAP4WoZAUFt2gEThLM8us9
97tsb5L38dUf/7o5LYcwyykufGqk+rLDBln+BA==
-----END CERTIFICATE-----

//////////////////// fatest5.pem contents End /////////////////////

!You should never share your password and you will need to update it to work in your environment!

//////////////////// fusionauth.properties contents start /////////////////////

#
# Copyright (c) 2018-2024, FusionAuth, All Rights Reserved
#

#------------------------------------------------------------------------------
# Database
# - Specify the URL and credentials for your database here
# - Required on each node running FusionAuth App webservice
#------------------------------------------------------------------------------
database.url=jdbc:postgresql://localhost:5432/fusionauth
database.username=fusionauth
database.password=password

#------------------------------------------------------------------------------
# Additional MySQL database settings.
# - When enabled, FusionAuth will ensure the necessary 'utf8mb4' configuration parameters to
#   properly handle 4 byte unicode characters. FusionAuth will fail to start if not configured properly.
# - This value is ignored if using PostgreSQL
# - Only set to false if you understand the limitations not using 'utf8mb4' character sets.
#------------------------------------------------------------------------------
database.mysql.enforce-utf8mb4=true

#------------------------------------------------------------------------------
# Search engine
# - Required on each node to ensure it talks to the same search backend
#------------------------------------------------------------------------------

# Specify the search engine type, accepted values are `database` and `elasticsearch`.
# When configuring the search engine type to `elasticsearch`, you must configure the `fusionauth-app.search-servers` property as well.
search.type=database

# Specify the location of your FusionAuth Search servers. Multiple values may be specified using a comma separator.
# This configuration is used by FusionAuth App to connect to the ElasticSearch nodes. The specified port should be the
# configured value for 'fusionauth-search.http-port'.
#
# Single host example: http://localhost:9021
# Multiple hosts example: http://localhost:9021,http://192.168.1.42:9021
#search.servers=http://localhost:9021


#------------------------------------------------------------------------------
# fusionauth-search
# - Required on each node running FusionAuth Search
#------------------------------------------------------------------------------
fusionauth-search.transport.port=9020
fusionauth-search.http.port=9021
fusionauth-search.memory=512M
fusionauth-search.additional-java-args=

# Special values include: _local_, _site_. Values can be combined in a comma separated list.
fusionauth-search.hosts=_local_

# Specify the location of your FusionAuth Search Engine servers. Multiple values may be specified using a comma separator.
# This configuration is used by ElasticSearch to configure clustering. The specified port should be the configured value
# for 'fusionauth-search.transport-port'.
#
# Single host example: localhost:9020
# Multiple hosts example: localhost:9020,192.168.1.42:9020
fusionauth-search.servers=localhost:9020

# Specify the full path to the ElasticSearch data directory. This defaults to /usr/local/fusionauth/data/search/esv6
# on Linux/Unix and %FUSIONAUTH_HOME%\data\search\esv6 on Windows if not specified
fusionauth-search.data-directory=


#------------------------------------------------------------------------------
# fusionauth-app
# - Required on each node running FusionAuth App webservice
#------------------------------------------------------------------------------

# Optionally specify an addressable URL or IP address to access this node from other FusionAuth nodes.
# - In most cases this should be left empty and it will be determined at runtime.
# - Ideally this is a site local IP address that is not publicly routable but accessible from other FusionAuth nodes.
fusionauth-app.url=

# Specify the HTTP ports for the FusionAuth webservice
fusionauth-app.http.port=9011

# HTTPS support.
#
# To enable the TLS listener, you must provide a port, a private key, the server certificate and any intermediate certificates necessary. Root CA
# certs should not be included.
#
# - The server and intermediate certificates must be concatenated into the same file/property.
#
# - If you have installed the certificate chain and key as files, set the appropriate filenames in
#   fusionauth-app.https.certificate-file and fusionauth-app.https.private-key-file.
#
# - If you are setting the fields as PEM content (i.e. via an environment variable), use the
#   fusionauth-app.https.certificate and fusionauth-app.https.private-key properties.
#
# - If both file and content-based properties are set, the content-based settings will take precedence.
fusionauth-app.https.enabled=true
fusionauth-app.https.port=9013
fusionauth-app.https.certificate-file=C:\\fusionauth\\cert\\fatest5.pem
fusionauth-app.https.private-key-file=C:\\fusionauth\\cert\\fatest5.key
fusionauth-app.https.certificate=
fusionauth-app.https.private-key=



# Specify the memory size here. You can use M for megabytes and G for gigabytes
fusionauth-app.memory=512M

# Specify any additional JVM arguments here
fusionauth-app.additional-java-args=

# Runtime Mode. During development use, 'development' this will allow you to utilize maintenance mode.
# - Once you move into production, use 'production', this will disable maintenance mode.
# - Possible values [production, development]
fusionauth-app.runtime-mode=development

# Where Usage Data is sent if enabled
fusionauth-app.stats.url=https://usage-stats.fusionauth.io

//////////////////// fusionauth.properties contents end /////////////////////

@Scot I found these two previous posts that mention this may not be the best way to go.

how to change port no. 9011 (fusionauth) to 80 or any port like 443 is it possible

and

Is it possible to set up SSL for fusionauth directly?

Now, both those posts are older, but I know I have had success running with nginx so wanted to that out there if it may help.

All that being said, you should be able to do what it appears you are trying to do. I hope to have some time this weekend to see if I can get it going. I will let you know what I find. If you find something before then, please let me know.

@tschlegel Thanks for sharing the update!

@Scot Does that mean you got it working?

@cluong Hmm, from what I saw, you do not need the tenantID in the URL. I may be a bit confused by what you are trying to do.

So when you use the URL provided by IAMShowcase after you add the metadata, you are able to see the federated page but you can't complete the WebAuthN Wizard. Is that right?