<![CDATA[Configuring FusionAuth as a SAML IdP for Internal Applications]]>I’m trying to achieve the following setup:

  1. A Tenant has two external SAML IdPs and wants to add a third option for email and password login using FusionAuth.
  2. This login should be presented as if it were an external SAML IdP.

Scenario:
For Tenant T, there are Applications A and B:

  • Application B has the SAML IdP feature enabled.
  • Application A uses a SAML IdP (S), which has the SAML Login URL from Application B as the IdP Endpoint.

When clicking the button for S on Application A, a SAML request is generated. However, the Issuer in the SAML request references the Id of the Identity Provider S (e.g., https://company-stage.fusionauth.io/samlv2/sp/af59262c-79ba-48c6-a0a2-4ab1d2fc15d3).

This results in an error:

"The AuthnRequest contained an invalid issuer [https://company-stage.fusionauth.io/samlv2/sp/af59262c-79ba-48c6-a0a2-4ab1d2fc15d3] that does not map to an Application in FusionAuth."

I understand the error since this Issuer does not correspond to an Application configured as a SAML SP. The Issuer should be https://company-stage.fusionauth.io/samlv2/sp/{id of App A} instead.
Does this setup make sense, and could the issue relate to a single fusionauth.* namespace for cookies?

]]>https://fusionauth.io/community/forum/topic/2857/configuring-fusionauth-as-a-saml-idp-for-internal-applicationsRSS for NodeFri, 10 Apr 2026 12:42:22 GMTThu, 30 Jan 2025 21:34:48 GMT60<![CDATA[Reply to Configuring FusionAuth as a SAML IdP for Internal Applications on Thu, 30 Jan 2025 21:37:12 GMT]]>Yes, it is possible to configure an Application with the SAML IdP feature enabled and use it as an IdP for another Application within the same Tenant.

The error you’re encountering indicates that FusionAuth cannot find an Application configured as a SAML IdP with the Issuer URL https://company-stage.fusionauth.io/samlv2/sp/af59262c-79ba-48c6-a0a2-4ab1d2fc15d3. This URL corresponds to the Identity Provider you configured in Settings > Identity Provider.

Resolution:

To fix this issue, update the SAML configuration for Application B as follows:

  1. Navigate to Application B > Edit > SAML.
  2. Add the Issuer URL (https://company-stage.fusionauth.io/samlv2/sp/af59262c-79ba-48c6-a0a2-4ab1d2fc15d3) in the Issuer field.

By doing this, FusionAuth will recognize the SAML request and correctly map it to Application B.

]]>https://fusionauth.io/community/forum/post/7785https://fusionauth.io/community/forum/post/7785Thu, 30 Jan 2025 21:37:12 GMT