RE: FusionAuth as SAML relying party and custom login pages

@varunghaswala said in FusionAuth as SAML relying party and custom login pages:

<ns3:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:ns4= "http://www.w3.org/2001/04/xmlenc#" Version="2.0" ProviderName="${idpName}" ID ="${CODE_FROM_FUSIONAUTH}" IssueInstant ="{issueInstant}"
Destination="${idpEndpoint}" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="${acsUrl}">
<Issuer>${issuer}</Issuer>
<ns3:NameIDPolicy Format="${nameIdFormat}" AllowCreate="false" />
</ns3:AuthnRequest>`;

Ah, great, so it is the ID which needs to be used as the code. I will update the documentation. Thanks so much for confirming.

@ursache-rarress

Thanks for using FusionAuth!

Getting the password via API is not possible.

If you want to migrate away from FusionAuth and need the password hash for that purpose, you can use a database export.

In general, if you are using FusionAuth as your auth server, passwords should remain within FusionAuth and no where else.

@francis-ducharme Hi Francis,

Is this still an issue? I'd review your application configuration (in the 'Applications' tab) to double check that the logout url is correct there.

Also, it'd be helpful to know the version of FusionAuth you are running.

@bvb1992bvb The community edition supports TOTP for MFA, but you have to build your own 'auth setup' page using the APIs and QR code generation libraries.

The account self service pages are part of the paid edition feature set. Those appear to be what you are viewing, but if that's not the case, please let us know.

You can get a free trial of the starter plan for a month from the pricing page: https://fusionauth.io/pricing if that is of interest.

@varunghaswala

Docs are opaque, but I believe you need to put the code value returned by the start call into the inResponseTo value of the SAML request you are making.

I'd have to test this to be sure, but I think the sequence is:

• call FusionAuth to get a code (the start call)
• Build your SAML request, putting the code into the InResponseTo field of your SAML request.
• Send the SAML request off
• Get the response in XML
• Call FusionAuth to complete the login (the complete call). Make sure you put the SAML response in the data.samlResponse field when calling complete.

Please try that. Make sure you are enabling debug and reviewing the Event Log.

And let us know how it goes. I'd like to update the documentation to be more clear.

@stephen-saucier-0, This was resolved in 1.36.

https://github.com/FusionAuth/fusionauth-issues/issues/1585

In general, you'll use the JSON defined in the API documentation to build the request. Unfortunately, the Search Event Logs API doc doesn't have sample JSON (I filed an issue) but it does have the fields: https://fusionauth.io/docs/v1/tech/apis/event-logs#search-event-logs

You can also find the EventLogSearchRequest in the client code:

https://github.com/FusionAuth/go-client/blob/master/pkg/fusionauth/Domain.go#L1545

This points at https://github.com/FusionAuth/go-client/blob/master/pkg/fusionauth/Domain.go#L1534

However, I'm not sure searching event logs gets you what you are trying to accomplish:

My goal is to grab all the last events, login..., from a specific user based on his email by example.

You probably want to search login records: https://fusionauth.io/docs/v1/tech/apis/login#search-login-records

https://github.com/FusionAuth/go-client/blob/master/pkg/fusionauth/Domain.go#L3145

https://github.com/FusionAuth/go-client/blob/master/pkg/fusionauth/Domain.go#L3134

Hi,

I'm trying to use the client but have some question, need some help.
My goal is to grab all the last events, login..., from a specific user based on his email by example.

So if we take this for example:

response, errors, err := client.SearchEventLogs()

the module explaintion gove me that:

func (*fusionauth.FusionAuthClient).SearchEventLogs(request fusionauth.EventLogSearchRequest) (*fusionauth.EventLogSearchResponse, *fusionauth.Errors, error)
SearchEventLogs Searches the event logs with the specified criteria and pagination.

EventLogSearchRequest request The search criteria and pagination information.
(fusionauth.FusionAuthClient).SearchEventLogs on pkg.go.dev

but what is the function input ?? What does refer the struct linked to request fusionauth.EventLogSearchRequest ?
Ty,
Adrien

This was pulled over from https://github.com/FusionAuth/go-client/issues/66

@vindhyahegde2114

At this time, SSO is only supported if you use the hosted login pages:

Additionally, when you use the hosted login pages, FusionAuth provides transparent single sign on (SSO) between applications as well as support for localization of the user interface.

https://fusionauth.io/docs/v1/tech/core-concepts/integration-points#hosted-login-pages

There's an open issue to expose SSO management via an API: https://github.com/FusionAuth/fusionauth-issues/issues/1515

Please vote it up and/or add a comment about your use case if you'd like.

As a reminder, here's our roadmap guidance: https://fusionauth.io/docs/v1/tech/core-concepts/roadmap

@nicholas-tsaoucis

Sorry to hear that!

You should be able to use the API key from the kickstart file to reset the password of a user. The easiest way is probably to use the Update User API: https://fusionauth.io/docs/v1/tech/apis/users#update-a-user