Login Without Authentication Page in FusionAuth but with SSO Session Cookie

Hi everyone,

We are working on an integration with FusionAuth and need help to avoid requiring users to enter their username and password on the FusionAuth login page while ensuring that the fusionauth.sso cookie is properly set. This cookie is essential because another application will use it to validate the session.

Current Flow:

1. MemberSuite initiates the login request using Reverse SSO.
2. Our SSO Bridge intercepts the request and constructs the authentication URL for FusionAuth.
3. The user is redirected to FusionAuth for authentication.
4. Upon successful authentication, FusionAuth redirects the user to ChainPoint.
5. ChainPoint begins its login process and redirects back to FusionAuth.
6. Since the user is already authenticated, they are sent directly to the platform dashboard.

What We Need:

We want to log the user in without them having to manually enter their credentials on FusionAuth's login page. However, we still need the fusionauth.sso cookie to be set, so ChainPoint can validate the session and grant access.

We found this GitHub issue, but many of the referenced links are no longer working.

Has anyone solved a similar case, or can anyone provide guidance on how to handle this requirement?
Any suggestions or references would be greatly appreciated.

Thanks in advance!

Hi @mark-robustelli,

Thank you very much for looking into this!

Fortunately, ChainPoint made some adjustments on their end, and we were finally able to log in successfully using OIDC.

I really appreciate your willingness to investigate the issue.

Thanks again for your time and help!

Best,
Cristian

Hi Mark! Thanks for your response!

However, I believe there is some confusion regarding the protocol we are using. The example you shared refers to RelayState, which is specific to SAML, while we are implementing OIDC (OpenID Connect) with FusionAuth as the IdP.

Our issue is related to the state parameter in OIDC, which is used for CSRF protection and session validation.

Our main concern is:

• FusionAuth is receiving the state parameter from our SSO Bridge.
• When it redirects to the final service (ChainPoint), the state is not present in the response, causing authentication failure.

Do you know if there is a way to ensure FusionAuth retains and returns the state parameter in the redirect?

Thanks again for your help!

Debug Log from ChainPoint when we try to login in:

2025-01-28 14:35:35,806 DEBUG LogMessage - Authorize response: code=cbQVpjY5qeODZ1I4251aT46-MOIqG5CgGbMOWBUgVSs&locale=en&userState=Authenticated
2025-01-28 14:35:36,208 TRACE Trace - ProcessResponseAsync
2025-01-28 14:35:36,218 ERROR LogMessage - Missing state.
2025-01-28 14:35:36,235 WARN  ProcessLoginResponse - Unable to login user, error during login token validation: Missing state. ()

Context:

We are implementing Reverse SSO where FusionAuth acts as the IdP, and we are experiencing an issue with the state parameter when completing authentication with an external OIDC-compliant service (ChainPoint).

Flow Overview:

1. MemberSuite initiates the login request using Reverse SSO.
2. Our SSO Bridge intercepts the request and constructs the authentication URL for FusionAuth, ensuring the state parameter is included.
3. The user is redirected to FusionAuth for authentication.
4. Upon successful authentication, FusionAuth redirects the user to ChainPoint.
5. ChainPoint expects the state parameter for security validation, but it appears to be missing or not returned correctly.

Authentication URL We Construct:

We generate the following authentication URL from our SSO Bridge:

https://auth.example.com/oauth2/authorize?client_id=12345678-1234-1234-1234-123456789abc&response_type=code&response_mode=form_post&redirect_uri=https%3A%2F%2Fchainpoint.example.com%2Flogin%2Fsso%2Fresponse%2F98765432&state=randomgeneratedstate12345

The Problem:

• We generate the state in our SSO Bridge when constructing the authentication URL.
• However, when FusionAuth completes authentication and redirects to ChainPoint, the state is not present or correctly returned.
• Since ChainPoint uses the state for CSRF protection and session validation, the authentication fails.
• We cannot persist the state in our SSO Bridge because, once redirected to FusionAuth, the SSO Bridge is no longer part of the process.
• Since FusionAuth is the entity communicating with ChainPoint, we need a way to retain and correctly propagate the state throughout the flow.
• We cannot modify ChainPoint’s code, nor can we set SameSite=None cookies or manage cross-domain session storage manually.

Questions & Help Needed:

1. How can we ensure that FusionAuth retains and correctly returns the state parameter when redirecting to ChainPoint?
2. Is there a built-in mechanism in FusionAuth to store and return state automatically, or do we need to handle it manually?
3. Would a Lambda function help ensure that the state is included in the final redirect?

Any insights or recommendations from the community would be greatly appreciated! I really appreciate any help you can provide.

Best regards,
Cristian Acevedo
Smarterix