UNSOLVED Friction-free multi application SSO with MFA enabled
mgetka Power User last edited by mgetka
Hi FusionAuth community!
I'm preparing an upgrade of a FusionAuth instance embedded in my system. The update is quite a big leap - from 1.33.0 to the latest 1.43.1 version. Across those versions lots of changes appeared, so some tweaks in the runtime environment and supporting services were inevitable, but eventually all is working as expected. With one exception - SSO flow with MFA enabled.
In my system I have a set of independent services that are registered in FA as independent applications. Up until now, our users entered the system by accessing one of those services - the service then redirected the user to complete OAuth2 flow via hosted login pages. If the user decided to navigate to other service, then, the authentication (in the scope of the other service) would be performed without user interaction - since he have an active FusionAuth SSO session the whole authentication drills down to just a bunch of 302 redirects. in 1.33.0, the whole process looked the same with or without MFA enabled, with the exception, that the user was asked for the second factor during the initial sign on (when accessing the first service).
After upgrading the process looks different. The first authentication looks the same, but when the user switches between the services, he is being asked for the second factor - he doesn't need to provide username and password (this is what SSO is all about, yes?) but is being asked to provide second factor on each new service accessed.
The new behavior significantly breaks the UX of my system, and I'm looking for an option that allows to tune FA policies to behave like in 1.33.0. Is this behavior anyhow configurable?
As an additional context I have Multi-Factor policies set to Enabled on the tenant level. The setting is not overridden in any of the FA applications. The whole described journey of a user across all the services happens in the scope of a single web browser session, and without the use of the trust this computer for 30 days option.