FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    FusionAuth as SAML relying party and custom login pages

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    5
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      varunghaswala
      last edited by

      Hello,

      We have a setup where we use custom login pages for our applications and we use FusionAuth strictly as an API for managing our authentication infrastructure.

      One of our applications now needs to support SAML as an option to login. We are trying to add a button to our pages for Login with SAML, but are a bit lost on what we are actually required to do in this scenario.

      The SAML API endpoints seem to suggest, we should be to initiate a SAML request by using the Start a SAML login request, but it is not very clear in what the returned code is supposed to be?

      Is this the code that is meant to be a SAML request that is supposed to be posted to our SAML IdP or is this code needs to included as a relay state and we build the SAML request our selves?

      Can you please clarify @robotdan . Thank you

      Cheers

      danD 1 Reply Last reply Reply Quote 1
      • danD
        dan @varunghaswala
        last edited by

        @varunghaswala

        Docs are opaque, but I believe you need to put the code value returned by the start call into the inResponseTo value of the SAML request you are making.

        I'd have to test this to be sure, but I think the sequence is:

        • call FusionAuth to get a code (the start call)
        • Build your SAML request, putting the code into the InResponseTo field of your SAML request.
        • Send the SAML request off
        • Get the response in XML
        • Call FusionAuth to complete the login (the complete call). Make sure you put the SAML response in the data.samlResponse field when calling complete.

        Please try that. Make sure you are enabling debug and reviewing the Event Log.

        And let us know how it goes. I'd like to update the documentation to be more clear.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        V 1 Reply Last reply Reply Quote 1
        • V
          varunghaswala @dan
          last edited by

          @dan Thanks for this. You are bang on point.

          • We had to make a call to FusionAuth to fetch the code(requestID)
          • We built a AuthN request that looked something like this:
          var samlRequestTemplate = `<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
          <ns3:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol"
              xmlns:ns4= "http://www.w3.org/2001/04/xmlenc#" Version="2.0" ProviderName="${idpName}"  ID ="${CODE_FROM_FUSIONAUTH}"  IssueInstant ="{issueInstant}" 
              Destination="${idpEndpoint}" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="${acsUrl}">
              <Issuer>${issuer}</Issuer>
              <ns3:NameIDPolicy Format="${nameIdFormat}" AllowCreate="false" />
          </ns3:AuthnRequest>`;
          
          • Post this request to the Identity Provider.
          • Complete the login flow and catch the response from IdP. It has the code included as a InResponseTo attribute within the encoded samlResponse.
          • Call fusion to Complete the Identity Provider Login.

          Then on it is the same flow as a normal Login API based login.

          Cheers 🙂

          danD 1 Reply Last reply Reply Quote 1
          • danD
            dan @varunghaswala
            last edited by

            @varunghaswala said in FusionAuth as SAML relying party and custom login pages:

            <ns3:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol"
            xmlns:ns4= "http://www.w3.org/2001/04/xmlenc#" Version="2.0" ProviderName="${idpName}" ID ="${CODE_FROM_FUSIONAUTH}" IssueInstant ="{issueInstant}"
            Destination="${idpEndpoint}" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="${acsUrl}">
            <Issuer>${issuer}</Issuer>
            <ns3:NameIDPolicy Format="${nameIdFormat}" AllowCreate="false" />
            </ns3:AuthnRequest>`;

            Ah, great, so it is the ID which needs to be used as the code. I will update the documentation. Thanks so much for confirming.

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            danD 1 Reply Last reply Reply Quote 1
            • danD
              dan @dan
              last edited by

              Doc PR here: https://github.com/FusionAuth/fusionauth-site/pull/1427

              --
              FusionAuth - Auth for devs, built by devs.
              https://fusionauth.io

              1 Reply Last reply Reply Quote 0
              • First post
                Last post