FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Configuring FusionAuth as a SAML IdP for Internal Applications

    Scheduled Pinned Locked Moved Solved
    Q&A
    1
    2
    22
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesley
      last edited by

      I’m trying to achieve the following setup:

      1. A Tenant has two external SAML IdPs and wants to add a third option for email and password login using FusionAuth.
      2. This login should be presented as if it were an external SAML IdP.

      Scenario:
      For Tenant T, there are Applications A and B:

      • Application B has the SAML IdP feature enabled.
      • Application A uses a SAML IdP (S), which has the SAML Login URL from Application B as the IdP Endpoint.

      When clicking the button for S on Application A, a SAML request is generated. However, the Issuer in the SAML request references the Id of the Identity Provider S (e.g., https://company-stage.fusionauth.io/samlv2/sp/af59262c-79ba-48c6-a0a2-4ab1d2fc15d3).

      This results in an error:

      "The AuthnRequest contained an invalid issuer [https://company-stage.fusionauth.io/samlv2/sp/af59262c-79ba-48c6-a0a2-4ab1d2fc15d3] that does not map to an Application in FusionAuth."

      I understand the error since this Issuer does not correspond to an Application configured as a SAML SP. The Issuer should be https://company-stage.fusionauth.io/samlv2/sp/{id of App A} instead.
      Does this setup make sense, and could the issue relate to a single fusionauth.* namespace for cookies?

      W 1 Reply Last reply Reply Quote 0
      • W
        wesley @wesley
        last edited by

        Yes, it is possible to configure an Application with the SAML IdP feature enabled and use it as an IdP for another Application within the same Tenant.

        The error you’re encountering indicates that FusionAuth cannot find an Application configured as a SAML IdP with the Issuer URL https://company-stage.fusionauth.io/samlv2/sp/af59262c-79ba-48c6-a0a2-4ab1d2fc15d3. This URL corresponds to the Identity Provider you configured in Settings > Identity Provider.

        Resolution:

        To fix this issue, update the SAML configuration for Application B as follows:

        1. Navigate to Application B > Edit > SAML.
        2. Add the Issuer URL (https://company-stage.fusionauth.io/samlv2/sp/af59262c-79ba-48c6-a0a2-4ab1d2fc15d3) in the Issuer field.

        By doing this, FusionAuth will recognize the SAML request and correctly map it to Application B.

        1 Reply Last reply Reply Quote 0
        • W wesley has marked this topic as solved
        • First post
          Last post