Hi again!
For the record, I just found the solution.
Fusionauth config is taken from JVM variables, as explained here. These can be chaged with the fusionauth-search.additional-java-args property, specified in the fusionauth.properties file like so:
fusionauth-search.additional-java-args="-Duser.timezone=UTC".
Then everything is working and compliant with SAMLv2 timestamps. Hope this helps someone else some day.
Hi @dan !
I'm sorry, the only thing I can say is that setting
fusionauth-search.additional-java-args="-Duser.timezone=UTC"
solved the issue for me.
If that's already solved, I guess it can be closed.
Hi @dan !
I'm sorry, the only thing I can say is that setting
fusionauth-search.additional-java-args="-Duser.timezone=UTC"
solved the issue for me.
If that's already solved, I guess it can be closed.
Hi again!
For the record, I just found the solution.
Fusionauth config is taken from JVM variables, as explained here. These can be chaged with the fusionauth-search.additional-java-args property, specified in the fusionauth.properties file like so:
fusionauth-search.additional-java-args="-Duser.timezone=UTC".
Then everything is working and compliant with SAMLv2 timestamps. Hope this helps someone else some day.
Hi!
Situation:
Few months ago my I set up a FA installation hosted in FA servers. Then I set a SAMLv2 IDP configuration, and in the end ran perfect.
Now I set the same configuration for the same IDP in a FA installation (1.27.2) hosted in our servers.
However, this configuration does not work correctly this time. I have contacted the IDP manager, and he said that the timestamp in the AuthNRequest is invalid. So, I checked the server and database timezone configurations, and set everything to UTC, as SAMLv2 demands, and then rebooted everything. No effect from this.
Then I realized that the event logs in the FA server shows a different time (UTC) from ours (CEST).
FA hosted server:
Our server:
Do you have any ideas on how I can change or set that timezone? Since I think this is the reason why the SAML conection is not working.
Thank you!
Hi @joshua,
Just to let you know, in the end I installed FA in a new VPS, and pointed a new subdomain to it so everything is now on the same domain, and it's working fine inside the iframe!
Thank you so much for your support! Helped a lot!
Jose
Indeed, custom URL/domain is the only feature we really need from HA.
In this case, would it be possible to do a "partial upgrade", meaning paying more just for this feature? Otherwise I think we should give self hosting a try.
Just to be sure, the CloudFlare option would involve implementing that "coordination" on both apps aswell?
Thank you again for the great support!
Jose
Hi @joshua,
Many thanks for the information. Indeed that is exactly the use case.
Since our current Cloud plan is not High-Availability, the current structure is:
FusionAuth deployment.fusionauth.io
App A -> a.mydomain.com
App B -> b.mydomain.com
Do you think it's necessary to upgrade the current Cloud plan to fit the structure you mentioned?
The Cloudflare option might be good, but I'm not sure which kind of cookie would I need to set for making it work. Any guidance about this?
Thank you!
Thank you @joshua,
Alright then, I've tried using incognito mode aswell. Also checked everything is HTTPS -> HTTPS.
I'll wait for the cookie settings news.
Hi @joshua,
Yeah, it's pretty much the same issue Netflix faces. However, in this case 2FA would be too annoying for our users, and doesn't make enough sense I think.
Indeed WAF is a good idea, I've been looking at some solutions like AWS WAF, but seems pretty complex at first.
The ideal solution would be FA being able to handle this. I imagine it would store the device fingerprint (using fingerprint.js for example) in the user data / registration data, and then check the count against a limit set in the tenant/application settings on every login. Is this something FA can develop as a paid request?
Another solution would be allowing Lambdas to import external js libraries, or even make API calls would do the trick. Then anyone could implement the limitation by their own.
Let me know our thoughts about any of this options and/or new ideas!
And thank you for the amazing support job!
Hi @joshua,
Thank you for the new info!
I thought those settings were not possible in the cloud version. Am I wrong?
Being able to apply that configuration in the cloud version might be the solution, hope it can be done!
For the apps part, I have tested in a simple local apache server aswell, just a static html page with the iframe and I got the same result.
Thank you so much!
Hello @joshua, thank you for the information!
It actually happens in every browser i've tested in (Chrome, Edge and Firefox, and IE).
I checked the samesite attribute and every other configuration for cookies, as well as for iframes.
What I have tried so far:
Also, I have noticed that the FA login page sets its own cookie "fusionauth.sso" with samesite Lax. Our login is hosted in FA.
SSO still works in a new tab.
Hope this information helps.
Thank you!
Jose.