FusionAuth Identity Providers
Identity Providers allow you to enable third-party login via FusionAuth.
The following options are currently available.
If you’re looking for a provider that is not listed here, review the open features in GitHub and either vote or comment on an existing feature, or open a new feature request if you do not find an existing feature open.
Find the FusionAuth Identity Providers in the UI by navigating to Identity Providers APIs.or use the
Identity providers and applications
Identity providers can be enabled or disabled on a per application basis.
In the following screenshot you will see that we have enabled this login provider for the Pied Piper application and enabled "Create registration". Enabling "Create registration" means that a user does not need to be manually registered for the application prior to using this login provider.
For example, when a new user attempts to log into Pied Piper using Google, if their user does not exist in FusionAuth it will be created dynamically, and if the Create registration toggle has been enabled, the user will also be registered for Pied Piper and assigned any default roles assigned by the application.
If you do not wish to automatically provision a user for this Application when logging in with Google, leave Create registration off and you will need to manually register a user for this application before they may complete login with Google and be authorized for the Pied Piper Application.
Regardless of whether you enable "Create registration" or not, a user will be created within FusionAuth when a person signs in with the identity provider. This setting controls whether a user is authorized for this application.
When you enable an identity provider you’re indicating that this external provider is an additional SoR (Source of Record). When the user successfully logs into this provider such as Google, Google has told FusionAuth the user exists and their credentials are valid. In return FusionAuth accepts this source or record and creates the user. Next we identify if the configuration allows us to automatically register (that is, provide authorization) for the requested application, based on the "Create registration" setting.
For each application, you can provide unique configuration. You might do this if you had two different FusionAuth applications that were both using Facebook as an identity provider, but using different Facebook applications. You can override none, some or all of the configuration values.
Override settings are not available in the "External JWT" identity provider, since you can create multiple instances of these.
When you are using the FusionAuth hosted login pages, you can bypass the login page and go directly to a third party Identity Provider based upon the user’s email address or an Identity Provider Id.
Hints only work with SAMLv2 or OpenID Connect identity providers.
An Identity Provider Id is appended to the Login URL for an application using the
idp_hint request parameter. For example, to send a user directly to a login page for an OIDC identity provider with the id
44449786-3dff-42a6-aac6-1f1ceecb6c46, you’d append
An email address or domain may be provided in the
login_hint request parameter, if the IdP is SAMLv2 or OpenID Connect. For example, to send a user directly to the login page of an OIDC IdP configured with a domain of
example.com, you’d append
&login_hint=example.com to the application’s Login URL.
You can read more about the
idp_hint parameters in the OAuth Endpoints documentation.
How helpful was this page?