How to configure SAMLv2 in my FusionAuth account.
-
I am currently seeking clarification on the configuration of SAMLv2 integration within FusionAuth. I have successfully created Lambda functions within the FusionAuth environment. My objective is to implement a unique identifier that will facilitate integration with the service provider, as FusionAuth is functioning as the Identity Provider (IdP). I have already enabled SAMLv2 within the Application settings, but I am now unsure of the subsequent steps.
-
When testing my FusionAuth SAMLv2 (as the IdP) on "https://sptest.iamshowcase.com/authnrequest", I would get back the following message error :
"message" : "The login URL does not contain the tenant Id. Ensure your URL includes the tenantId like this: /samlv2/login/{tenantId}."
The login url and logout url from the SAML integration does contain the tenanId. I can't seem to find the solutions to fix this issue.
-
@cluong Can you please clarify a bit? Where are you receiving the error message? Is FusionAuth giving you that message or is the sptest.iamshowcase.com? Do you have multiple tenants set up in FusionAuth?
-
Hi Mark,
I have configured a single tenant rather than multiple tenants.
I adhered to the procedures outlined on https://sptest.iamshowcase.com/authnrequest.I specified my Identity Provider (IdP) and NameId, selected ForcedAuth, and submitted the SAML authentication request.
I believe this request redirects to the SAMLv2 login URL of my FusionAuth domain; however, it generates the following error message: "The login URL does not contain the tenant Id. Ensure your URL includes the tenantId in the format: /samlv2/login/{tenantId}.
-
@cluong Can you share your configuration in FusionAuth (without exposing any secrets?
-
@cluong I was able to use complete the AuthNRequest Wizard.
To be sure we are trying to accomplish the same task, I followed the instruction on IAMShowcase
I had to follow the pre-reqs to get it working. I want to be sure we are on the same page in that we set up a SP Initiated SSO, where FusionAuth is the IDP and IAMShowcase is the SP.
My Configuration Steps:
-
In FusionAuth, I went to the application and selected Edit
-
I went to the SAML tab and enabled it. Listed IAMShowcase as the Issuer. Added https://sptest.iamshowcase.com/acs to the Authorized redirect URLS
-
After I saved that information, I went back to the list of applications and selected View. I scrolled down to the SAML v2 Integration details. I then copied the link for the Metadata URL. I pasted that in a browser window and got the xml.
-
I then copied the xml into the Upload Data text box on IAMShowcase. When I submitted that I received a url that allowed me to see the following.
After that, I was able to complete the WebAuthN Wizard.
The next step was to create another tenant in may instance, duplicate the application in the new tenant. Add a new user to that application and repeat the verification. That worked. At no time was I asked for a tenant id.
If you are doing something different, please let me know so I can re-create and try to help.
-
-
Hi Mark,
I followed the steps as instructed; however, I was unable to access the page you referenced. I encountered a FusionAuth error message indicating that "The login URL does not contain the tenant Id. Please ensure your URL includes the tenantId in the following format: /samlv2/login/{tenantId}."
The login URL in my SAML integration does include the tenantId, which leads to my confusion regarding the issue.
However, when I utilize the Initiate login URL, I am able to successfully access the IAMShowcase federated page, which is also confusion.
-
@cluong Hmm, from what I saw, you do not need the tenantID in the URL. I may be a bit confused by what you are trying to do.
So when you use the URL provided by IAMShowcase after you add the metadata, you are able to see the federated page but you can't complete the WebAuthN Wizard. Is that right?
-
I scrolled down to the SAML v2 Integration details. I then copied the link for the Metadata URL. I pasted that in a browser window and got the xml.
I then copied the xml into the Upload Data text box on IAMShowcase. When I submitted that I received a url that allowed me to see the following.
Paste that url on the browser and still receive the error message from fusionauth -
"The login URL does not contain the tenant Id. Ensure your URL includes the tenantId in the format: /samlv2/login/{tenantId}."
After that, I went to WebAuthN Wizard and completed the steps and still receive the error message from fusionauth.
I looked at the SP XML configuration and saw that the destination for the login did not include the tenantId, therefore, I keep on getting the error message. Am I doing something wrong? But if I were to use the "Initiate login URL" that is in my : Application -> View -> SAMLv2 Integration section and use the login credentials, I am able to successfully access the IAMShowcase federated page.
-
@cluong Hmm, Just to verify, when you submit the data, do you get a URL that looks similar to this?
https://sptest.iamshowcase.com/ixs?idp=581409a977a79eb0f979f2f591204c8f69f0f334It does not surprise me that the WebAuthN Wizard would fail if we cannot get the url provided to work.
For clarification, it is my understanding that iamshowcase is the SP in this test case and FusionAuth is the IDP. I never used the "Initiate login URL" when setting up the SP initiated SSO.
For the record, if I enable "Enable IdP initiated login" from the SAML tab of the Application, I too am able to see the federated page.
When setting up the SP initiated SSO, I do not use the url provided by "Initiate login URL."Would you be able to share the Metadata URL or the xml that it produces? Could you also share a copy of your Application -> SAML tab configuration. (feel free to mark it up and hide any information you do not want public.) If that does not work for you, I suggest setting up a test instance so you can share some more detail so we can get this working for you. Also, what version of FusionAuth are you working with?
