I'm trying to get a SAML v2 identity provider set up against Google Workspace that allows both SP initiated and IdP initiated logins. [1] I'm struggling with how to configure this though.

Here's my basic setup:

1. I have a callback URL in my application where I do the code -> token exchange after authentication:

   https://dashboard.stablebuild.com/callbacks/fusionauth?url=%2Forganizations%2Fstablebuild

   FusionAuth then appends &code=xxxx to this.

2. When I do SP initiated login I redirect to (where idp_hint is the IdP ID):

   https://stablebuild.fusionauth.io/oauth2/authorize?client_id=1c165b4b-ef9a-4fe7-bde9-89ea0498432e&response_type=code&redirect_uri=https%3A%2F%2Fdashboard.stablebuild.com%2Fcallbacks%2Ffusionauth%3Furl%3D%252Forganizations%252Fstablebuild&idp_hint=5f06463b-97ae-4f93-b925-18d8ef9751a7

I have two ACS callback URLs in the identity provider config in FusionAuth:

• Callback URL (ACS): https://stablebuild.fusionauth.io/samlv2/acs
• IdP Initiated Callback URL (ACS): https://stablebuild.fusionauth.io/samlv2/acs/5f06463b-97ae-4f93-b925-18d8ef9751a7/1c165b4b-ef9a-4fe7-bde9-89ea0498432e

Try 1: Using the ACS callback URL

When I configure the first URL as the callback URL in Google Workspace:

Then:

1. SP initiated login works

2. IdP initiated login redirects to:

   https://stablebuild.fusionauth.io/oauth2/authorize?tenantId=7c4f6470-a023-d2e5-728c-3e5137f089bb

   And fails with 'The request is missing a required parameter: redirect_uri'

Try 2: Using the ACS callback URL w/ Start URL

Google describes the Start URL as "This is used to set the RelayState parameter in a SAML Request, which can be a URL to redirect to after authentication.". If I set the Start URL to my redirect URL:

Then:

1. SP initiated login works

2. IdP initiated login redirects to:

   https://stablebuild.fusionauth.io/oauth2/authorize?state=https%3A%2F%2Fdashboard.stablebuild.com%2Fcallbacks%2Ffusionauth%3Furl%3D%252Forganizations%252Fstablebuild&tenantId=7c4f6470-a023-d2e5-728c-3e5137f089bb

   and still fails with 'the request is missing a required parameter: redirect_uri' - makes sense, the URL is passed in the state field, not in the redirect_uri field.

Try 3: Using the ACS callback URL by appending ?redirect_uri

According to https://github.com/FusionAuth/fusionauth-issues/issues/1785 the RelayState parameter is indeed not supported, but we should be able to append ?redirect_uri to the callback URL. Here I append the callback URL (previously in Start URL to the ACS URL):

Then:

1. SP initiated login fails with:

   "The SAML AuthnResponse status indicated the request has failed. Unable to complete this login request."

   And in the logs I see:

   <saml2p:StatusMessage>Invalid request, ACS Url in request https://stablebuild.fusionauth.io/samlv2/acs doesn't match configured ACS Url https://stablebuild.fusionauth.io/samlv2/acs/?redirect_uri=https%3A%2F%2Fdashboard.stablebuild.com%2Fcallbacks%2Ffusionauth%3Furl%3D%252Forganizations%252Fstablebuild.</saml2p:StatusMessage>
   

   So that won't work.

2. IdP initiated login redirects to:

   https://stablebuild.fusionauth.io/oauth2/authorize?redirect_uri=https%3A%2F%2Fdashboard.stablebuild.com%2Fcallbacks%2Ffusionauth%3Furl%3D%252Forganizations%252Fstablebuild&tenantId=7c4f6470-a023-d2e5-728c-3e5137f089bb

   and fails with 'The request is missing a required parameter: client_id'. So it picks up the redirect_uri at least.

So, it seems that we can append the right parameters to the URL maybe - but SP initiated login breaks whenever we do that.

Try 4: Using the IdP Initiated Callback URL w/ ?redirect_uri param

When I set the IdP initiated callback URL, with the ?redirect_uri parameter set:

(Here ACS URL is https://stablebuild.fusionauth.io/samlv2/acs/5f06463b-97ae-4f93-b925-18d8ef9751a7/1c165b4b-ef9a-4fe7-bde9-89ea0498432e?redirect_uri=https%3A%2F%2Fdashboard.stablebuild.com%2Fcallbacks%2Ffusionauth%3Furl%3D%252Forganizations%252Fstablebuild)

Then:

1. SP initiated login fails with:

   Invalid redirect_uri Y2xpZW50X2lkPTFjMTY1YjRiLWVmOWEtNGZlNy1iZGU5LTg5ZWEwNDk4NDMyZSZyZWRpcmVjdF91cmk9aHR0cHMlM0ElMkYlMkZkYXNoYm9hcmQuc3RhYmxlYnVpbGQuY29tJTJGY2FsbGJhY2tzJTJGZnVzaW9uYXV0aCUzRnVybCUzRCUyNTJGb3JnYW5pemF0aW9ucyUyNTJGc3RhYmxlYnVpbGQmcmVzcG9uc2VfdHlwZT1jb2RlJnRlbmFudElkPTdjNGY2NDcwLWEwMjMtZDJlNS03MjhjLTNlNTEzN2YwODliYiZpZGVudGl0eVByb3ZpZGVySWQ9NWYwNjQ2M2ItOTdhZS00ZjkzLWI5MjUtMThkOGVmOTc1MWE3JmNzcmY9b1gzLVQxTzVEcVJ4NVpKVg
   

   Which is base64 encoded:

   client_id=1c165b4b-ef9a-4fe7-bde9-89ea0498432e&redirect_uri=https%3A%2F%2Fdashboard.stablebuild.com%2Fcallbacks%2Ffusionauth%3Furl%3D%252Forganizations%252Fstablebuild&response_type=code&tenantId=7c4f6470-a023-d2e5-728c-3e5137f089bb&identityProviderId=5f06463b-97ae-4f93-b925-18d8ef9751a7&csrf=oX3-T1O5DqRx5ZJV
   

   Which looks like valid query params; but for some reason they are base64 encoded, and interpreted as just the redirect_uri.

2. IdP initiated login works.

So... ?

I'm unsure how to proceed. I think that:

• If using the RelayState parameter as the redirect URI would be supported then I guess all of this would just work out of the box (filed on GH here: I've filed https://github.com/FusionAuth/fusionauth-issues/issues/2545 as a feature request to support using the RelayState as the redirect URL.).
• Appending ?redirect_uri, as suggested in https://github.com/FusionAuth/fusionauth-issues/issues/1785 does not work for SP initiated logins (bug? feature?).
• Something gets interpreted as base64 that shouldn't when using the IdP Initiated Callback URL with an SP-initiated flow (or I'm just abusing the endpoint, and this should never be possible - but maybe this should error out with a better message).

Any suggestions?

[1]I'd assume this is a relatively common usecase, as I want to trigger an auth flow from my application (SP initiated), as well as have a button in the Google Workspace app drawer to go to the application (IdP initiated) - if I have this wrong then I'd be happy to hear that too.