RE: 404 Page theme

Is it a total coincidence that that is GitHub Issue #404? Ha!

@mgetka

The Elasticsearch index is not queried during an authentication request, it is only used for search operations. We do attempt to update the search index during an authentication request but it is not directly required to complete login.

The Windows install is just a zip package. So deleting is mostly just deleting the directory.

Un-install the service

If you installed a Windows service after unzipping the bundle during the installation, you should un-install that first. If you only used the startup.bat script you can skip this step.

cd C:\Users\me\projects\fusionauth\fusionauth-app\apache-tomcat\bin
FusionAuthApp.exe /uninstall

https://fusionauth.io/docs/v1/tech/installation-guide/upgrade

Note:
Note, I see at the bottom of your code example that binary is not present in the directory. I'll have to look into why that is not present. In any case, if it is not present, that also means you have not installed the service, so you can skip this step.

Delete the directory

To complete the un-install, simply delete the directory once you have stopped the processes.

rmdir C:\Users\me\projects\fusionauth /s

If you have a database running locally, you will need to delete that separately. To do that you can open a SQL shell and run:

drop database fusionauth;

Hope that helps! Perhaps we need to add an un-install section to the documentation.

@onmybus We'll need to do some more research into that error, @dan had some good insight in the reddit thread. Perhaps we are not building the response correctly.

If you wan try @dan's suggest, I think the SAML Populate lambda would look like this: ( @dan was really close)

function populate(samlResponse, user, registration) {
  samlResponse.assertion.subject.subjectConfirmation.recipient = null;
}

Here is how we are building that subject object:

String callback = samlv2Configuration.callbackURL.toString();

response.assertion.subject = new Subject();
response.assertion.subject.subjectConfirmation = new SubjectConfirmation();
response.assertion.subject.subjectConfirmation.inResponseTo = request.id;
response.assertion.subject.subjectConfirmation.method = ConfirmationMethod.Bearer;
response.assertion.subject.subjectConfirmation.notBefore = now.minusHours(1);
response.assertion.subject.subjectConfirmation.notOnOrAfter = now.plusHours(1);
response.assertion.subject.subjectConfirmation.recipient = callback;

As a side note, the way you can debug this, is to dump out the samlResponse object to an event log. For example, add this to your lambda body and the samlResponse object will be pretty printed to an info event log. See System > Event Log.

console.info(JSON.stringify(samlResponse, null, ' ')); 

@jmarin the fix you're looking for is was in FusionAuth version 1.11.0, if you upgrade to version 1.11.0 or later this issues should be resolved. https://fusionauth.io/docs/v1/tech/release-notes#version-1-11-0

I just have to know!

The Lookup API is generally designed for use when you are not going to use the FusionAuth login pages or SSO features.

I think you're asking to go directly to an IdP login page without hitting the FusionAuth login page first and clicking a button to "Login with Acme Corp" for example?

Does this issue cover your use case?
https://github.com/FusionAuth/fusionauth-issues/issues/178#issuecomment-501390468

The above issue would allow you to provide a hint ahead of time so we can bypass the login page for a domain scoped IdP configuration. We could also add the option to provide the Identity Provider Id as a hint on the request ?identityProviderId=42 to force a particular IdP.

We do offer paid support plans if you'd like engineering support.

We do our best to get to all of the community issues as well, but our resources are limited.

Hope to get back to this soon.

Here is how I would suggest you work through the construction of your lambda function.

Start with a basic function like this to print out the SAML response.

function reconcile(user, userAttributes) {
  // Dump the userAttributes object to an Info Event Log
  console.info(JSON.stringify(userAttributes, null, 2));
}

This will give you an Event log to show you what is being returned from your LDAP, and more specifically the attributes we have extracted from that response. To find the event log, navigate to System > Event Log.

The goal of this lambda will be to build up the user and registrations. Here is a more full featured example of what that may look like. The result of this lambda would be a user with an email and fullName set and a single registration.

function reconcile(user, userAttributes) {
  // Dump the userAttributes object to an Info Event Log
  // console.info(JSON.stringify(userAttributes, null, 2));

  user.id = userAttributes.uid;
  user.active = true;

  user.email = userAttributes.mail;
  user.fullName = userAttributes.cn;

  // This is the basic idea of how to build the registration.
  // The values will be dependent upon what is returned in your SAML
  // response. You can hard these values if you want them to always
  // be the same, or it may be variable based upon the SAML attributes returned.
  user.registrations = [{
    applicationId: "5d562fea-9ba9-4d5c-b4a3-e57bb254d6db",
    roles = ['user', 'admin']
  }];
}

We should have documentation out shortly as well, but hopefully this will get you moving. As @dan mentioned, this is a preview release for this feature, so if you run into bugs or missing capability please open a GitHub issue and let us know.

Sounds like @viola-mauro you've got this all working.

For anyone else that may be interested, we do have an apache module, that seems to be similar to what you're trying to do.

https://github.com/FusionAuth/fusionauth-mod-authnz-external

Thanks for reporting, we have recreated the issue. It will be tracked and solved under this issue. https://github.com/FusionAuth/fusionauth-issues/issues/749

The Lookup API is generally designed for use when you are not going to use the FusionAuth login pages or SSO features.

I think you're asking to go directly to an IdP login page without hitting the FusionAuth login page first and clicking a button to "Login with Acme Corp" for example?

Does this issue cover your use case?
https://github.com/FusionAuth/fusionauth-issues/issues/178#issuecomment-501390468

The above issue would allow you to provide a hint ahead of time so we can bypass the login page for a domain scoped IdP configuration. We could also add the option to provide the Identity Provider Id as a hint on the request ?identityProviderId=42 to force a particular IdP.

Thanks for sharing @hopper-jerry , I added a link to your Docker hub and article on the GitHub page so others can easily find your Arm64 images.

Thanks for your contribution!
https://github.com/FusionAuth/fusionauth-containers#arm64

@ashok you got it!

If you omit the encryptionScheme property on the user, FusionAuth will assume you are importing a plain text password.

https://fusionauth.io/docs/v1/tech/apis/users#import-users

If you were importing a hashed password, you'd have the encryptionScheme, factor, salt, and password (in hash form).

You'll want to set the password to something random. You will not need to set the salt, it will be generated for you during import when providing a plain text password.

Here is a Java example to generate a strong random password.

public static String secureRandom(int bytes) {
  SecureRandom random = new SecureRandom();
  byte[] buf = new byte[bytes];
  random.nextBytes(buf);
  return Base64.getUrlEncoder().withoutPadding().encodeToString(buf);
}

String randomPassword = secureRandom(32);

32 bytes is generally considered adequate. A Base64 encoded character has 62 possible values, and an entropy per character of 5.954 bits. A 16 byte token provides approximately 131 bits of entropy (22 characters * 5.954). A 32 byte token provides approximately 256 bits of entropy (43 characters * 5.954).

As a side note, during the Import, if you provide a password directly, i.e. not a hash - then FusionAuth will hash the password inline before it stores the value. If you have a lot of users, this will significantly slow the import process.