FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. cristian
    3. Posts
    C
    • Profile
    • Following 0
    • Followers 0
    • Topics 2
    • Posts 6
    • Best 0
    • Controversial 0
    • Groups 0

    Posts made by cristian

    • RE: Login Without Authentication Page in FusionAuth but with SSO Session Cookie

      Hi @mark-robustelli,

      Thanks for your response.

      The SSO Bridge acts as the IdP between MemberSuite and FusionAuth. It also handles other functions related to data synchronization and specific validations against ChainPoint and Zapier.

      Currently, the SSO Bridge performs multiple validations against MemberSuite and then logs the verified user into FusionAuth using the API. However, we read in the FusionAuth documentation that:

      • "A FusionAuth SSO session is created when a user checks 'Keep me signed in'. This session is available only when using the hosted login pages and a browser or webview. This session gives your application transparent, automatic user authentication when a user on a device switches between different web or mobile applications."

      Since we are logging in via API (server-to-server), we understand that the fusionauth.sso cookie is not being set because there is no browser session involved. This prevents ChainPoint from detecting an active session automatically.

      One of the reasons we chose to go through FusionAuth rather than handling authentication directly via the SSO Bridge is that we want FusionAuth to serve as the central authentication portal for other platforms within the company. Given this long-term goal, we need to ensure that FusionAuth correctly sets the SSO session for seamless authentication.

      One option we considered was creating a custom login page that would auto-submit user credentials, but we don’t see this as a good practice. Instead, we’re looking for a more robust way to achieve seamless authentication while ensuring the fusionauth.sso cookie is properly set.

      Would a Connector help in this case, or is there another recommended approach to achieve this?

      Thanks again for your help!

      posted in Q&A
      C
      cristian
    • Login Without Authentication Page in FusionAuth but with SSO Session Cookie

      Hi everyone,

      We are working on an integration with FusionAuth and need help to avoid requiring users to enter their username and password on the FusionAuth login page while ensuring that the fusionauth.sso cookie is properly set. This cookie is essential because another application will use it to validate the session.

      Current Flow:
      1. MemberSuite initiates the login request using Reverse SSO.
      2. Our SSO Bridge intercepts the request and constructs the authentication URL for FusionAuth.
      3. The user is redirected to FusionAuth for authentication.
      4. Upon successful authentication, FusionAuth redirects the user to ChainPoint.
      5. ChainPoint begins its login process and redirects back to FusionAuth.
      6. Since the user is already authenticated, they are sent directly to the platform dashboard.
      What We Need:

      We want to log the user in without them having to manually enter their credentials on FusionAuth's login page. However, we still need the fusionauth.sso cookie to be set, so ChainPoint can validate the session and grant access.

      We found this GitHub issue, but many of the referenced links are no longer working.

      Has anyone solved a similar case, or can anyone provide guidance on how to handle this requirement?
      Any suggestions or references would be greatly appreciated.

      Thanks in advance!

      posted in Q&A
      C
      cristian
    • RE: Help/Issue with `state` Parameter in Reverse SSO Flow with FusionAuth

      Hi @mark-robustelli,

      Thank you very much for looking into this!

      Fortunately, ChainPoint made some adjustments on their end, and we were finally able to log in successfully using OIDC.

      I really appreciate your willingness to investigate the issue.

      Thanks again for your time and help!

      Best,
      Cristian

      posted in Q&A
      C
      cristian
    • RE: Help/Issue with `state` Parameter in Reverse SSO Flow with FusionAuth

      Hi Mark! Thanks for your response!

      However, I believe there is some confusion regarding the protocol we are using. The example you shared refers to RelayState, which is specific to SAML, while we are implementing OIDC (OpenID Connect) with FusionAuth as the IdP.

      Our issue is related to the state parameter in OIDC, which is used for CSRF protection and session validation.

      Our main concern is:

      • FusionAuth is receiving the state parameter from our SSO Bridge.
      • When it redirects to the final service (ChainPoint), the state is not present in the response, causing authentication failure.

      Do you know if there is a way to ensure FusionAuth retains and returns the state parameter in the redirect?

      Thanks again for your help!

      posted in Q&A
      C
      cristian
    • RE: Help/Issue with `state` Parameter in Reverse SSO Flow with FusionAuth

      Debug Log from ChainPoint when we try to login in:

      2025-01-28 14:35:35,806 DEBUG LogMessage - Authorize response: code=cbQVpjY5qeODZ1I4251aT46-MOIqG5CgGbMOWBUgVSs&locale=en&userState=Authenticated
2025-01-28 14:35:36,208 TRACE Trace - ProcessResponseAsync
2025-01-28 14:35:36,218 ERROR LogMessage - Missing state.
2025-01-28 14:35:36,235 WARN  ProcessLoginResponse - Unable to login user, error during login token validation: Missing state. ()
      posted in Q&A
      C
      cristian
    • Help/Issue with `state` Parameter in Reverse SSO Flow with FusionAuth

      Context:

      We are implementing Reverse SSO where FusionAuth acts as the IdP, and we are experiencing an issue with the state parameter when completing authentication with an external OIDC-compliant service (ChainPoint).

      Flow Overview:

      1. MemberSuite initiates the login request using Reverse SSO.
      2. Our SSO Bridge intercepts the request and constructs the authentication URL for FusionAuth, ensuring the state parameter is included.
      3. The user is redirected to FusionAuth for authentication.
      4. Upon successful authentication, FusionAuth redirects the user to ChainPoint.
      5. ChainPoint expects the state parameter for security validation, but it appears to be missing or not returned correctly.

      Authentication URL We Construct:

      We generate the following authentication URL from our SSO Bridge:

      https://auth.example.com/oauth2/authorize?client_id=12345678-1234-1234-1234-123456789abc&response_type=code&response_mode=form_post&redirect_uri=https%3A%2F%2Fchainpoint.example.com%2Flogin%2Fsso%2Fresponse%2F98765432&state=randomgeneratedstate12345

      The Problem:

      • We generate the state in our SSO Bridge when constructing the authentication URL.
      • However, when FusionAuth completes authentication and redirects to ChainPoint, the state is not present or correctly returned.
      • Since ChainPoint uses the state for CSRF protection and session validation, the authentication fails.
      • We cannot persist the state in our SSO Bridge because, once redirected to FusionAuth, the SSO Bridge is no longer part of the process.
      • Since FusionAuth is the entity communicating with ChainPoint, we need a way to retain and correctly propagate the state throughout the flow.
      • We cannot modify ChainPoint’s code, nor can we set SameSite=None cookies or manage cross-domain session storage manually.

      Questions & Help Needed:

      1. How can we ensure that FusionAuth retains and correctly returns the state parameter when redirecting to ChainPoint?
      2. Is there a built-in mechanism in FusionAuth to store and return state automatically, or do we need to handle it manually?
      3. Would a Lambda function help ensure that the state is included in the final redirect?

      Any insights or recommendations from the community would be greatly appreciated! I really appreciate any help you can provide.

      Best regards,
      Cristian Acevedo
      Smarterix

      posted in Q&A
      C
      cristian