Retrieve IdP id used for login

tony

Is it possible to determine, which IdP (IdP id in FusionAuth) was used by a user to login?

dan

@tony

How are you using FusionAuth? Login API or hosted login pages?

When do you want to know? In the login record, the JWT or some other way?

You get a value in the JWT with the IDP type: https://fusionauth.io/docs/v1/tech/oauth/tokens/

You also can see the identityProviderId in the success login event: https://fusionauth.io/docs/v1/tech/events-webhooks/events/#user-login-success

tony

@dan
I am using FusionAuth with a redirect to FusionAuth login page and after handling oauth-callback with my API.
In the ideal case, I would like to know the IdP ID during OAuth callback, which means when I will have obtained JWT.
Just IdP type isn't enough, because according to the unique IdP ID I need to decide which fields I will take from user.data reconciled from SAML or OpenID.
Webhook wasn't in consideration, because it would be hard to keep data in sync in my case.

dan

@tony

I think what you want is on the user object, so you want to do the following:

• add a jwt populate lambda: https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate/
• extract the idp used from the user object in that lambda.

I haven't tested this, but from the docs user.registrations[x].tokens gives you:

A map that contains tokens returned from identity providers.

For example, if this user has authenticated using the Facebook Identity Provider, the Facebook access token will be available in this map, keyed by name Facebook. For an OpenID Connect Identity provider, or other generic providers, if a token is stored it will be keyed by the Identity Provider unique Id.

So I think you could look at that tokens map and find out the idp the user used to register. Give that a try and let me know if it works, please.

tony

@dan

I tried to play around with lambdas (both JWT populate and SAML reconcile), found next:

• in populate, user.registrations[x].tokens field is always empty (at least for SAML providers);
• in reconcile, samlResponse contains conditions.audiencess[x]
  -> https://domain.name/samlv2/sp/4d7c275f-1e34-43b8-b651-103582e96fa3 with an IdP ID;
• also, in Event Log, debug message of SAML lambda has an IdP ID in it:
  SAML v2 IdP Response Debug Log for [IdP Name] with Id [4d7c275f-1e34-43b8-b651-103582e96fa3]

For now, I could extract an ID from conditions.audiencess, but is there any other way to access it? audiencess is an array, in my case with only one element, what else I should expect to receive in this array?

dan

@tony

Glad you were able to figure it out. I'm not aware of any other way to access the identity provider id from the response, but that does seem to solve your problem, correct?

Please feel free to file a feature request more clearly outlining your use case and proposed ideal solution.

It looks like the type of audiences is a set of strings, so I wouldn't expect any complex elements.

The docs say that this field is:

[a] list of the audiences for this SAML response. By default, the issuer or audience from the form are used.

This is not super clear to me, so I filed a PR against the docs to make it clearer: https://github.com/FusionAuth/fusionauth-site/pull/376