FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Configuring a Custom Domain for SAML Audience URLs in FusionAuth

    Scheduled Pinned Locked Moved Solved
    Q&A
    1
    2
    148
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesley
      last edited by

      I’m working on enabling SAML login for our app using FusionAuth. While I’ve successfully set up SAML login with our company, I have a concern about the SAML audience URL.

      Currently, the audience URL provided is in the format: https://company.fusionauth.io/samlv2/sp/<id>.

      This isn’t ideal because, while we’re using FusionAuth Cloud now, we may transition to a self-hosted FusionAuth instance or a different authentication system in the future. To avoid dependencies on the FusionAuth Cloud domain, I’d like the SAML audience URL to use a domain we control, e.g., https://auth.company.com/samlv2/sp/<id>.

      Specific Questions:

      1. Is it possible to configure FusionAuth to use a custom domain for the SAML audience URL?
      2. Does the "Issuer" setting on the tenant configuration affect SAML URLs, or is it only for JWTs?
      3. I noticed the "Custom URL" option at login.fusionauth.io, but it appears to only provide aliases for company.fusionauth.io and doesn’t affect SAML audience URLs. Am I correct in this understanding?

      Additional Information:

      • We are using FusionAuth version 1.45.1 but are open to upgrading if needed.
      • Users interact only with our backend, which communicates with FusionAuth; they do not interact directly with FusionAuth.

      Thanks in advance!

      W 1 Reply Last reply Reply Quote 0
      • W
        wesley @wesley
        last edited by

        Yes, it is possible to configure a custom domain for your SAML audience URL using FusionAuth's Custom Domain feature. This setup allows you to map your desired domain, e.g., https://auth.company.com, to your FusionAuth instance, enabling the SAML audience URL to use your custom domain.

        Steps to Achieve This:

        1. Set Up a Custom Domain:
          • Configure a custom domain in FusionAuth (available for production deployments).
          • Once the custom domain is set up, the SAML audience URL will change to reflect your domain, e.g., https://auth.company.com/samlv2/sp/<id>.
        2. Update DNS Records:
          • Point the custom domain (auth.company.com) to FusionAuth Cloud using the provided instructions during setup.
        3. Verify SAML Configuration:
          • Ensure the custom domain is reflected in the audience URL and SAML metadata. Update your SAML federation partners with the new audience URL.

        Additional Notes:

        • Issuer Setting: The "Issuer" setting on the tenant configuration only affects JWTs and is unrelated to SAML audience URLs.
        • Custom URL Limitation: You’re correct that the login.fusionauth.io option allows for aliases to the default company.fusionauth.io domain but does not impact SAML audience URLs. Setting up a full custom domain resolves this limitation.
        1 Reply Last reply Reply Quote 0
        • W wesley has marked this topic as solved
        • First post
          Last post