UNSOLVED FusionAuth as SAML relying party and custom login pages

varunghaswala

Hello,

We have a setup where we use custom login pages for our applications and we use FusionAuth strictly as an API for managing our authentication infrastructure.

One of our applications now needs to support SAML as an option to login. We are trying to add a button to our pages for Login with SAML, but are a bit lost on what we are actually required to do in this scenario.

The SAML API endpoints seem to suggest, we should be to initiate a SAML request by using the Start a SAML login request, but it is not very clear in what the returned code is supposed to be?

Is this the code that is meant to be a SAML request that is supposed to be posted to our SAML IdP or is this code needs to included as a relay state and we build the SAML request our selves?

Can you please clarify @robotdan . Thank you

Cheers

dan

@varunghaswala

Docs are opaque, but I believe you need to put the code value returned by the start call into the inResponseTo value of the SAML request you are making.

I'd have to test this to be sure, but I think the sequence is:

call FusionAuth to get a code (the start call)
Build your SAML request, putting the code into the InResponseTo field of your SAML request.
Send the SAML request off
Get the response in XML
Call FusionAuth to complete the login (the complete call). Make sure you put the SAML response in the data.samlResponse field when calling complete.

Please try that. Make sure you are enabling debug and reviewing the Event Log.

And let us know how it goes. I'd like to update the documentation to be more clear.

varunghaswala

@dan Thanks for this. You are bang on point.

We had to make a call to FusionAuth to fetch the code(requestID)
We built a AuthN request that looked something like this:

var samlRequestTemplate = `<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns3:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:ns4= "http://www.w3.org/2001/04/xmlenc#" Version="2.0" ProviderName="${idpName}"  ID ="${CODE_FROM_FUSIONAUTH}"  IssueInstant ="{issueInstant}" 
    Destination="${idpEndpoint}" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="${acsUrl}">
    <Issuer>${issuer}</Issuer>
    <ns3:NameIDPolicy Format="${nameIdFormat}" AllowCreate="false" />
</ns3:AuthnRequest>`;

Post this request to the Identity Provider.
Complete the login flow and catch the response from IdP. It has the code included as a InResponseTo attribute within the encoded samlResponse.
Call fusion to Complete the Identity Provider Login.

Then on it is the same flow as a normal Login API based login.

Cheers

dan

@varunghaswala said in FusionAuth as SAML relying party and custom login pages:

<ns3:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:ns4= "http://www.w3.org/2001/04/xmlenc#" Version="2.0" ProviderName="${idpName}" ID ="${CODE_FROM_FUSIONAUTH}" IssueInstant ="{issueInstant}"
Destination="${idpEndpoint}" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="${acsUrl}">
<Issuer>${issuer}</Issuer>
<ns3:NameIDPolicy Format="${nameIdFormat}" AllowCreate="false" />
</ns3:AuthnRequest>`;

Ah, great, so it is the ID which needs to be used as the code. I will update the documentation. Thanks so much for confirming.

dan

Doc PR here: https://github.com/FusionAuth/fusionauth-site/pull/1427