Can FusionAuth federate to itself?
-
If I am running multiple FusionAuth instances, can one be a SAML IdP and another be the SAML SP?
-
Yes. You'd need to configure each instance correctly, but this can be done.
-
Here's how I set up FusionAuth as a SAML IdP (
idp.fusionauth.io
) and added a 'Login with SAML' button on a FusionAuth instance (local.fusionauth.io
). Both servers are running 1.24.0. I do have multiple tenants in both local and demo, but both applications are in the default tenant. (Setting up these servers locally is possible, but beyond the scope of this post.)- Created a RSA 256 keypair on
idp.fusionauth.io
in key master (saml test
) - Created a RSA public key and imported the
saml test
public key into key master onlocal.fusionauth.io
- Add POST as an allowed CORS method in the
local.fusionauth.io
settings, with an allowed origin ofhttps://idp.fusionauth.io
. - Created an application (
samlsp
) inlocal.fusionauth.io
. Added a oauth redirect url to the application. - Created an application (
samlidp
) inidp.fusionauth.io
. Added a oauth redirect url to the application. - Configured samlidp application with the following values:
- enabled SAML on the SAML tab
- set the issuer to
https://example.com
- added an authorized redirect url:
https://local.fusionauth.io/samlv2/acs
- set the response signing key to 'saml test'. All other response fields are default.
- Configured a SAML identity provider on
local.fusionauth.io
- name: idpfusionauth
- IdP endpoint:
https://idp.fusionauth.io/samlv2/login/a743e2cd-55bb-789c-b076-8846fdd3a51f
( pulled from the applications details screen of thesamlidp
application) - use nameid for email: true
- verification key: use the certificate of the aforementioned
saml test
public key (not the public key!) - use post method: false
- sign request: false
- applications:
samlsp
enabled and registration enabled
- Updated the issuer on the
samlidp
applicationSAML
screen. Set the issuer tohttps://local.fusionauth.io/samlv2/sp/dfd114b9-7b57-446d-8f60-ec6689f47da4
. This value is pulled from thelocal.fusionauth.io
SAMLv2 Identity Provider details. Note that you may need to trim this value, as when you copy it there may be spaces in front or behind, and if you don't remove them, you'll see aThe AuthnRequest contained an invalid issuer
message.
By following these steps, when you open up an incognito window and go to the login page of the
samlsp
application, you will see a 'login with saml' button, and then you can login with that. - Created a RSA 256 keypair on
-
This also works with an OIDC provider and from tenant to tenant in the same FusionAuth instance. Assume you have an app (app1) in your existing tenant and you want to allow users in a different tenant to log in to app1. You can do this with an identity provider.
To do so:
- create a new tenant in your FusionAuth instance
- create an application in the new tenant (app2)
- add an authorized redirect URL of
https://yourinstance.fusionauth.io/oauth2/callback
- make sure the authorization code grant is checked.
- add an authorized redirect URL of
- create a user in the new tenant
- use same email address but a different password
- register the user for app2
- create an OIDC identity provider
- the name should be app2 IDP
- update the button text to say 'log in with app2 in a different tenant'
- the client identifier and secret should be the app2 client id and secret
- the scope should be
openid profile email
- the authorization URL should be
https://yourinstance.fusionauth.io/oauth2/authorize
- the token URL should be
https://yourinstance.fusionauth.io/oauth2/token
- the userinfo URL should be
https://yourinstance.fusionauth.io/oauth2/userinfo
- enable the OIDC identity provider for app1 and make sure to create a registration for that application when a successful authentication is done.
When you visit the app1 login screen, you should now see a button prompting you to log in with app2.
This allows you to do cross tenant enterprise sign on within the same FusionAuth instance.