Hi @luis-b !

I would use step up auth for this situation.

It is documented here: https://fusionauth.io/docs/v1/tech/guides/multi-factor-authentication#step-up-auth

Hi @vinicius-alfonso !

As documented here: https://fusionauth.io/docs/v1/tech/oauth/endpoints#userinfo we don't provide the address info, even if you pass the address scope.

Per the OpenID spec, section 5.4, it appears that supporting the address scope is optional: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims

If this is important to you, please file an issue here: https://github.com/fusionauth/fusionauth-issues/issues with details about the use case.

We are guided by our customers and community when it comes to implementation of issues. Here's our general roadmap guidance: https://fusionauth.io/docs/v1/tech/core-concepts/roadmap

@jesper What does the Security tab on your application config say?

In particular the Generate refresh tokens setting?

https://fusionauth.io/docs/v1/tech/core-concepts/applications#security

@joshua Thank you for updating the docs. I can confirm simply increasing the numberOfResults indeed returns the rest of the users!

@utahtwo Currently this requires two different configurations. We initially tried to do it all within one IdP, but each mode requires different configuration and has unique security constraints. It seemed simpler for all involved to make them separate IdP configurations.

If there is a use case that breaks due to this design decision, please open a GitHub issue and outline the use case so we can better understand your needs. Thanks!

@jw

Can you confirm if you are still having this issue?

This consent screen may be controlled by Google (and possibly unrelated to FusionAuth configuration)

Thanks,
Josh

@admin-5

Thanks for letting us know. This should now be corrected.

Thanks,
Josh
FusionAuth

@ramonsaucedo Glad you got it working!

@matt-1

I would assume that is the issue - but let us know if otherwise

Josh

@depth9mcd This is typically accomplished using a proxy (Apache, NGINX, etc) in front of FusionAuth.

https://fusionauth.io/docs/v1/tech/admin-guide/proxy-setup#proxies-and-tenants has more details.

However, please feel free to file a feature request with your suggestion for a lambda to run before the authorize page is rendered: https://github.com/fusionauth/fusionauth-issues/issues

@andres-garcia Sorry for the late response, kinda slammed.

https://fusionauth.io/docs/v1/tech/samlv2/#limitations says

FusionAuth supports only the following NameIDPolicy values:

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress urn:oasis:names:tc:SAML:2.0:nameid-format:persistent urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

So it seems like that isn't supported. Please feel free to file an issue https://github.com/fusionauth/fusionauth-issues/issues referencing this forum post and explaining you'd like this new NameIDPolicy value to be supported.

If you are a customer with a support contract, it's helpful if you file a support ticket as well. This helps us prioritize future work.