FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Login Without Authentication Page in FusionAuth but with SSO Session Cookie

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    5
    368
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cristian
      last edited by

      Hi everyone,

      We are working on an integration with FusionAuth and need help to avoid requiring users to enter their username and password on the FusionAuth login page while ensuring that the fusionauth.sso cookie is properly set. This cookie is essential because another application will use it to validate the session.

      Current Flow:
      1. MemberSuite initiates the login request using Reverse SSO.
      2. Our SSO Bridge intercepts the request and constructs the authentication URL for FusionAuth.
      3. The user is redirected to FusionAuth for authentication.
      4. Upon successful authentication, FusionAuth redirects the user to ChainPoint.
      5. ChainPoint begins its login process and redirects back to FusionAuth.
      6. Since the user is already authenticated, they are sent directly to the platform dashboard.
      What We Need:

      We want to log the user in without them having to manually enter their credentials on FusionAuth's login page. However, we still need the fusionauth.sso cookie to be set, so ChainPoint can validate the session and grant access.

      We found this GitHub issue, but many of the referenced links are no longer working.

      Has anyone solved a similar case, or can anyone provide guidance on how to handle this requirement?
      Any suggestions or references would be greatly appreciated.

      Thanks in advance!

      mark.robustelliM 1 Reply Last reply Reply Quote 0
      • mark.robustelliM
        mark.robustelli @cristian
        last edited by

        @cristian What are you using for the SSO Bridge? Also, If you don't want the user to enter their credentials on FusionAuth's login page, what will be acting as the Identity Provider (IdP)? I'm not 100% clear on your use case, but have you check out Connectors. Seems like that might be a way to go.

        C 1 Reply Last reply Reply Quote 0
        • C
          cristian @mark.robustelli
          last edited by

          Hi @mark-robustelli,

          Thanks for your response.

          The SSO Bridge acts as the IdP between MemberSuite and FusionAuth. It also handles other functions related to data synchronization and specific validations against ChainPoint and Zapier.

          Currently, the SSO Bridge performs multiple validations against MemberSuite and then logs the verified user into FusionAuth using the API. However, we read in the FusionAuth documentation that:

          • "A FusionAuth SSO session is created when a user checks 'Keep me signed in'. This session is available only when using the hosted login pages and a browser or webview. This session gives your application transparent, automatic user authentication when a user on a device switches between different web or mobile applications."

          Since we are logging in via API (server-to-server), we understand that the fusionauth.sso cookie is not being set because there is no browser session involved. This prevents ChainPoint from detecting an active session automatically.

          One of the reasons we chose to go through FusionAuth rather than handling authentication directly via the SSO Bridge is that we want FusionAuth to serve as the central authentication portal for other platforms within the company. Given this long-term goal, we need to ensure that FusionAuth correctly sets the SSO session for seamless authentication.

          One option we considered was creating a custom login page that would auto-submit user credentials, but we don’t see this as a good practice. Instead, we’re looking for a more robust way to achieve seamless authentication while ensuring the fusionauth.sso cookie is properly set.

          Would a Connector help in this case, or is there another recommended approach to achieve this?

          Thanks again for your help!

          mark.robustelliM 1 Reply Last reply Reply Quote 0
          • mark.robustelliM
            mark.robustelli @cristian
            last edited by

            @cristian hmm, if the docs say the session is only available when using the hosted login pages, it seems like you may be out of luck. Give me a little time to ask around a bit and see if there may be alternative suggustions to your workflow.

            mark.robustelliM 1 Reply Last reply Reply Quote 0
            • mark.robustelliM
              mark.robustelli @mark.robustelli
              last edited by

              @cristian I asked around a bit, and unfortunately I don't have a great answer for you. I think this information about FusionAuth SSO just confirms what you already know.

              On a slightly brighter note, someone helped me find this open GH Issue that you should probably follow that might help down the road.

              In the meantime, does anyone have any other advice or suggestions for @cristian?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post