FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. Tags
    3. idp
    Log in to post
    • All categories
    • W

      Solved How to Support Elevated OAuth Scopes for Select Users in FusionAuth with Google Reauthentication

      Frequently Asked Questions (FAQ)
      • idp • • wesley
      2
      0
      Votes
      2
      Posts
      136
      Views

      W

      This is definitely an uncommon scenario, so there’s no out-of-the-box flow documented for it, but here’s one way to handle it:

      Create a second Google IdP: FusionAuth supports only one native Google IdP, but you can set up an additional Google connection as a generic OpenID Connect (OIDC) IdP. This second IdP can request the elevated scopes you need for email access. See the OIDC docs here: OpenID Connect IdP in FusionAuth. Trigger reauthentication: When a user opts into the email client feature, redirect them through the second IdP’s OAuth flow to acquire the elevated scopes. This effectively escalates their session without forcing all users through additional authentication unnecessarily.

      This approach allows you to avoid reauthentication for users who don’t need the extra scopes while supporting a higher-privilege flow for users who do.

    • W

      Solved Handling Default IdP Routing in FusionAuth Without idp_hint

      Frequently Asked Questions (FAQ)
      • idp • • wesley
      2
      0
      Votes
      2
      Posts
      123
      Views

      W

      FusionAuth doesn’t currently support setting a default IdP for an application or automatically forcing logins through an IdP. You’re welcome to submit a feature request on our GitHub issues page.

      If all your users share the same email domain, you could try Managed Domains to route them to the correct IdP.

      Another option is to place a proxy in front of FusionAuth. The proxy could inspect incoming requests and append the idp_hint before forwarding traffic to FusionAuth. You can learn more about using a proxy setup here.

    • W

      Solved Using Managed Domains in FusionAuth to Hide Password Fields Until Email Entry

      Frequently Asked Questions (FAQ)
      • identity idp • • wesley
      2
      0
      Votes
      2
      Posts
      17
      Views

      W

      Yes, FusionAuth offers a feature called Managed Domains that can help implement this type of flow. When you set up Managed Domains under an Identity Provider and enable it for your application, the hosted login page will initially display only an email input field. Based on the user’s email domain, FusionAuth will then either redirect them to the appropriate Identity Provider (such as for employee logins) or continue to the standard username/password login for other users.

      You can read more about Managed Domains here:
      Managed Domains Documentation

    • W

      Solved How to Disable Facebook Login and Signup Buttons in FusionAuth UI

      Frequently Asked Questions (FAQ)
      • identity idp • • wesley
      2
      0
      Votes
      2
      Posts
      91
      Views

      W

      Yes, you can disable the Facebook login and signup button through the FusionAuth dashboard. Navigate to Settings > Identity Providers, then edit the Facebook Identity Provider. At the top of the configuration page, you’ll find an “Enabled” toggle that lets you disable Facebook login globally for all applications. Alternatively, you can disable Facebook login for specific applications by using the application-level toggles at the bottom of the same page.

    • B

      Unsolved Configure Identity Providers per tenant

      Q&A
      • saml idp federation • • bubblez
      4
      0
      Votes
      4
      Posts
      1.8k
      Views

      danD

      @impackt Great, glad you have a path forward.

    • J

      Solved Disable email and password logins

      Q&A
      • disable login idp sso • • johnathon
      2
      0
      Votes
      2
      Posts
      1.9k
      Views

      J

      @johnathon

      One approach would be to append the parameter idp_hint to the login URL to redirect a user to the appropriate IdP login page. Please read the hints section in our documentation for more information.

      Another way to disable the password and email login for a user would be to set their password to a random 25-character string. This would make the password essentially impossible to brute force and thus impossible for them to log in via the hosted login page.

    • T

      Google login sometimes fails without error

      Q&A
      • google idp • • trevorr
      5
      0
      Votes
      5
      Posts
      12.7k
      Views

      joshuaJ

      @md-tanveeraj Can you confirm how you are intergrating Google?

      The two most common implementations of Google + FusionAuth are via the hosted pages (where you have FusionAuth display a login with google - https://fusionauth.io/docs/v1/tech/identity-providers/google) or via writing your own login page and Google integration (login with google via API - https://fusionauth.io/docs/v1/tech/apis/identity-providers/google#complete-the-google-login)

      I might need some more context to be able to provide additional assistance.

      Thanks,
      Josh

    • E

      Using Slack as Identity Provider with OpenID for Federated Identity Management with Aspnet Core App

      Q&A
      • external identity oidc idp federation • • etienne.lorthoy
      4
      0
      Votes
      4
      Posts
      2.9k
      Views

      danD

      @eirikur That is awesome, thanks so much for sharing your settings.

    • danD

      Removing a user when they are removed from an IdP?

      Q&A
      • removing users update idp • • dan
      2
      0
      Votes
      2
      Posts
      1.8k
      Views

      danD

      You would have to add a hook in your IdP to make an API call to delete the user in FusionAuth. However, because the SoR will no longer have this user, the use will not be able to log in via FusionAuth either unless their password is reset.

      We have discussed adding support for SCIM which may provide some of these types of features assuming other IdPs also support this standard. This is on the roadmap: https://github.com/FusionAuth/fusionauth-issues/issues/106

    • danD

      Initiating login from a SAML IdP?

      Q&A
      • saml idp login • • dan
      2
      0
      Votes
      2
      Posts
      1.2k
      Views

      danD

      We don’t currently support IdP initiated login.

      This has come up a few times, we’ll likely end up adding it, but for now it is not possible. We have an open feature for this in GitHub.

      Please feel free to upvote it or otherwise communicate your desire for this work to be done.

    • danD

      Solved Text on the Google login popup when using Google as an IdP

      Q&A
      • google idp account screen • • dan
      2
      0
      Votes
      2
      Posts
      1.4k
      Views

      danD

      As far as I know it is not possible, I believe Google builds that text based upon the redirect_uri. I would assume you'd only see the fusionauth.io domain listed if you're using our hosted URL. If you are using an enterprise plan with a custom domain (login.example.com) you shouldn't see fusionauth.io mentioned.

      I know in the Google cloud console where you configure your credentials there is a customization option for the consent screen, but I do not know if that will modify this account chooser or not.