@jay-saxophone383 I do believe you can get FusionAuth to work as you described here. Here are some links that may give you a little more detail.
Enabling Single Sign-On in an Organization
As mentioned above, some of the features described are only available with paid planes and if you need to test them out, you will want to contact FusionAuth and see what can be worked out.
Does FusionAuth provide an evaluation license to test its premium features for on premise?
As far as I know there is no license that allows you to test the premium features. If this is something you are interested, you may want to reach out to the sales team.
You can use the public sandbox instance, which has a valid license and access to all premium features. No credit card or account is required. However, be aware that any data you enter is public and the environment is reset regularly, so your changes will not persist.
Is there something specific (a feature/use case) that you are interested in and how it works?
Does the solution offer robust capabilities to collect and securely store detailed information about trusted user devices and activities during access management sessions?
Yes, in addition to general logging there are numerous webhooks that allow you to consume JSON messages emitted from FusionAuth events.
This information is crucial for tracking audit trails and performing analytics, particularly in the following areas:
a) Device Information
i) Various device types and models
Yes
ii) Popular operating systems across desktop and laptop platforms (e.g., Windows, macOS, Linux, ChromeOS) and mobile platforms (e.g., Android, iOS, others)
Yes
iii) Security posture details, such as antivirus software and posture checks
I'm not sure what you mean with this question. FusionAuth does have Advanced Threat Detection available. Is that what you are talking about?
b) Comprehensive Reporting
Ability to track all access management activities, including login times, accessed resources, actions performed, user activity patterns, and associated geographic locations
FusionAuth has a few views you can look at to see such information (like the dashboard below), but between the webhooks and API access you should be able to collect, organize and view the data the way you would need to.
This is an example of the dashboard with some of the advanced features enabled.
Here is an example from a successful login webhook.
{
"event" : {
"applicationId" : "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
"authenticationType" : "PASSWORD",
"connectorId" : "e3306678-a53a-4964-9040-1c96f36dda72",
"createInstant" : 1747952916005,
"id" : "fbeb32bc-0a98-4835-800e-7b0b5aa75523",
"info" : {
"deviceName" : "macOS Chrome",
"deviceType" : "BROWSER",
"ipAddress" : "192.168.147.1",
"userAgent" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36"
},
"ipAddress" : "192.168.147.1",
"linkedObjectId" : "00000000-0000-0000-0000-000000000001",
"tenantId" : "d7d09513-a3f5-401c-9685-34ab6c552453",
"type" : "user.login.success",
"user" : {
"active" : true,
"birthDate" : "1981-06-04",
"connectorId" : "e3306678-a53a-4964-9040-1c96f36dda72",
"data" : {
"favoriteColor" : "chartreuse"
},
"email" : "admin@example.com",
"firstName" : "Dinesh",
"id" : "00000000-0000-0000-0000-000000000001",
"insertInstant" : 1736377123822,
"lastLoginInstant" : 1747952916005,
"lastName" : "Chugtai",
"lastUpdateInstant" : 1746139865421,
"memberships" : [ ],
"passwordChangeRequired" : false,
"passwordLastUpdateInstant" : 1746139893637,
"preferredLanguages" : [ ],
"registrations" : [ {
"applicationId" : "ec526002-35cc-4e6e-8f5b-0e4fba2b08c8",
"data" : { },
"id" : "b2e3f755-1b1f-44f5-92ff-e6a41fa3eb12",
"insertInstant" : 1745098563132,
"lastLoginInstant" : 1745279910748,
"lastUpdateInstant" : 1745098563132,
"preferredLanguages" : [ ],
"roles" : [ ],
"tokens" : { },
"usernameStatus" : "ACTIVE",
"verified" : true,
"verifiedInstant" : 1745098563132
}, {
"applicationId" : "3c219e58-ed0e-4b18-ad48-f4f92793ae32",
"data" : { },
"id" : "53635379-6b65-47c0-a593-579f1e0340ec",
"insertInstant" : 1736377123867,
"lastLoginInstant" : 1747952916005,
"lastUpdateInstant" : 1736377123867,
"preferredLanguages" : [ ],
"roles" : [ "admin" ],
"tokens" : { },
"usernameStatus" : "ACTIVE",
"verified" : true,
"verifiedInstant" : 1736377123867
} ],
"tenantId" : "d7d09513-a3f5-401c-9685-34ab6c552453",
"twoFactor" : {
"methods" : [ ],
"recoveryCodes" : [ ]
},
"usernameStatus" : "ACTIVE",
"verified" : true,
"verifiedInstant" : 1736377123822
}
}
}
Hope this answers your questions.
@robin-singh said in Getting 403 : disallowed_useragent with Google Auth:
We have android/iOS app where authentication redirects to fusionauth login page.
And here we have Facebook/Google login setup.
Facebook and native login is working fine but with Google login getting Error 403: disallowed_useragent.Is there any way to directly open sign in for google which will send data to fusion auth only.
Are you trying to open the login in your application? Maybe try to use the system browser to up the Google login and see if that works. Google disallows OAuth login flows inside embedded web views (like those used in many mobile apps).
@d-chinguun-0301 No problem. Glad you figured it out. No need for apologies, if you were confused others may be as well. Now when they search here, they will have an answer. Have a great one
@d-chinguun-0301 can you give us some example code of what you are trying to do? What API are you using and how are you trying to cancel the call?
If you need help in a non public forum and you have a paid plan which includes technical support, please open a ticket via your account portal.
If you don't have a paid plan and still want the private support, please check out the Essentials Plan. You will get private email support with that.
@john-spellman, Can you let us a bit more about how you created the key? Which option did you choose to import? Which certificate type did you use? You could try different types.
Anything you can tell us about which Identity Provider you created and what the architecture looks like will help. Is FusionAuth the IdP/SP or both?
Also, If you can share the settings of you SAML tab for the application (without sharing secrets), that may give us some insight to the issue as well, if you are using FusionAuth as an IdP.
I don't have a ton of experience with importing certificates, so if anyone out there knows better, please feel free to chime in.
I have set up a key for a SAML provider before and using an RSA/RS256 type key. I generated that key with FusionAuth, but I don't see any reason you couldn't import the key you need.
You may want to check out this blog to test a simple SAML configuration if your situation reflects the setup.
@john-spellman I'm glad you have access to the instance. If you need help in a non public forum and you have a paid plan which includes technical support, please open a ticket via your account portal.
If you don't have a paid plan and still want the private support, please check out theEssentials Plan. You will get private email support with that.
Other than that, I would recommend posting the issues here and removing any sensitive info.
Also, based on your request, be very careful of anyone reaching out to help privately. I like to believe the world is a good place, but there are bad actors out there looking to take advantage of people in your situation.
@kiouplidis, can you please give us a little more detail on how you are set up and exactly what you are trying to do. I see you are getting a NetworkError when trying to reach (auth.*.com). Is that an instance of FusionAuth hosted by FusionAuth or is that an instance of FusionAuth that you have deployed? How are you trying to access the resource? Through a web browser or are you trying to execute an API call? The more information you can provide, the easier it will be to help.
If you have a paid plan which includes technical support, please open a ticket via your account portal.
@john-spellman can you tell us a little more about your set up and situation? Was it working before? What changed? Can the one user still log into prod? The more detail you give the easier it will be for someone to help. Please do not post any passwords or secrets.
@laurent-bartet awesome! So it sounds like you had things set up right, you just were not logged out, so when you went back the reconcile event never took place cause you were already logged in. Is that right?
@laurent-bartet hmm.., since the lambda seems to be set up correctly but appears to not be hitting, let's take a step back and look at the configuration. Can you tell me a little more about that? What identity providers you are using and how they are configured? I read you are using SAML, but it appears in the log that you are using OAuth2. If you are using OAuth2, you might be able to use a JWT populate lambda in that case, but would like to know more about your setup.
@laurent-bartet Since it is a SAML reconcile lambda, do you have it assigned to the Identity Provider?
Settings -> Identity Providers -> {Your SAML v2 Identity Provider} -> Edit -> Reconcile Lambda
@arnel-terblanche Can you tell us a little more about your setup? Is this a first time install? Was it working before? Is this a docker image you are trying to run? Please provide more details.
What kind of Lambda did you create? Did you assign the Lamba to the application?
If it was SAML V2 Poulate then make sure it is assigned to your application.
Applications -> {Your Application} -> SAML tab -> Authentication response -> Populate Lambda -> {Choose the lambda you created}
Also make sure you have Debug enabled set on the Lambda.
Let me know if this helps.
@bartetlau Have you had a chance to check out FusionAuth Lambdas? Specifically, SAML v2 Populate Lambda? Does that get you what you need?
@altear147 Awesome that you are making progress and thanks for keeping the post updated. I'll keep an eye on the thread, and if other issues come up, let us know.
@altear147 also did you grant these scopes in the google config?
@altear147 Thanks for taking the time to work with this. It is generally a pretty straight forward process taking no more than 5 minutes. I am out of the office this week, but will try to get some time to replicate what you are going through. I want to make sure I am working on the right thing, so just want to confirm that we have the same end goal. You want the 'Login with Google' button to work for an Application you created within FusionAuth, right?
@altear147 looks like you are getting closer. If I go back to your screenshot of the provider configuration page, it looks like the scope input box is empty. Three common scopes to include are email, profile, and openid.. Please add the correct scope(s) and let me know if that works for you.