SAML + Auth2 SSO not working
-
Hi
I am working on implementing SSO with different authentication methods
React Js application with Auth2
Sisense with SAML
I have followed the instruction as given in https://fusionauth.io/blog/2021/02/09/single-sign-on-sso-with-fusionauth/
Both applications were individually authenticated and return back as expected but it won't work SSO as expecting ( when the user has logged in and authenticated by one application he/she should be able to access the other one without authenticating )
SSO time out also set in to 10 hours in tenant
can someone help with this and give a suggestion?I have attached configurations for both applications
-
@janakapdj
Hope these also helps to give some suggestion
log when authenticated with Auth2OAuth2 exchange authorization code debug log for [BlueChip] with clientId [c6bcfb81-7387-4448-92fe-979fbc183864].
10/1/2021 04:08:16 AM GMT Validate the provided authorization code [Oo4TyOqTFjLro1C9UlAfR1a3CTsmClP-beOdKP58w8w].
10/1/2021 04:08:16 AM GMT PKCE not utilized on this request.
10/1/2021 04:08:16 AM GMT No scopes requested.
10/1/2021 04:08:16 AM GMT Ensure the provided request parameters match those provided the authorization request.
10/1/2021 04:08:16 AM GMT User is registered for application with Id [c6bcfb81-7387-4448-92fe-979fbc183864] the [roles] and [applicationId] claims will be added.
10/1/2021 04:08:16 AM GMT The authorization code has been successfully exchanged for an access token.SAML request
Incoming SAML v2 AuthnRequest.Binding:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-RedirectDeflated and encoded request:
nVNNj9owEP0rke+JbT42wSKsWFBVpG0bAe1hL8g4k12rjp3aDkv/fZ0AFYddDpwszbx5M/PeePp4rFV0AOuk0TmiCUGPs6njtWrYvPVveg1/WnA+CjDtWJ/IUWs1M9xJxzSvwTEv2Gb+7ZkNEsIaa7wRRqFotczRDlL6QATd0yojHEpaVqRC0a9Lw1ARgM61sNLOc+1DiAxoTElM6JaMGB2yAUnoMH1BUXGmfpK6lPr19hz7E8ixr9ttERc/NlsUzZ0D60PjhdGurcFuwB6kgJ/r5xy9ed8wjGnoNkmT8TiZjFlGMop5I/EhPEEO0F4K3jFgZV6l3nWC7ARXas/Fb4yiZdBK6h7xASMlpKMkuCs7DE4ceDLJOE9Ho5hmfByPBvtJTMoKYqC0SoflQ8ZHFJ1MYb1U9sqN2yLwy8JotpEOtIMpvuK5OP09FK6WhVFS/L3H6S/G1tx/jqYJ7SOyjKseyqDmUs3L0oJzwRelzPvCAveQI29bQPgy2vn+oOyvMfjm4XjXNS5M3XArXWcMHLnwF0mviRcqKLaG6h6Bb8IEEx11CBfheTe27I4ZRFhsa7l2jbH+bM1H88xOuU/k+J+9/rGzfw==Decoded XML request:
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_e7160c1b1f80aed1df0f" Version="2.0" IssueInstant="2021-10-01T04:13:20.137Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://10.197.60.25:8081/api/v1/authentication/login_saml_callback/" Destination="http://10.197.65.10:8080/samlv2/login/998aa744-18a5-42b9-0dfe-e11f73d68a41">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">Sisense</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest> -
-
Hiya.
Just so I understand, it seems like you are saying:
- User logs into react js app
- User clicks on link to Sisense app
- User is sent to login screen
But you expect the user to be sent to the Sisense app, because they should have been signed on automatically. Is that correct?
If not, please provide a step by step list of
- what you see
- what you expect to see
If the steps above are what you see, a few questions:
- What are the hostnames (of each server, including FusionAuth)? (Feel free to replace real hostnames with 'example.com' if needed).
- Can you confirm both applications are web applications?
- Are there any messages on the devtools console if you go through the steps above?
- You can log into each application separately (that is what it looks like from the logs you have posted, just wanted to confirm)?
Thanks,
Dan -
Hi @dan
Thank you very much for your reply"But you expect the user to be sent to the Sisense app because they should have been signed on automatically. Is that correct?"
Yes, expecting to sign on automatically and redirect to the Sisense appHostnames
Fusion-auth
Host: http://10.197.65.10:8080ReactApp
Host: https://staging-portal.mydomain.co.uk
Authorized URL: https://staging-portal.mydomain.co.uk/AuthenticatedSisense
Host: http://10.197.60.25:8081
Authorized Redirect URL: http://10.197.60.25:8081/api/v1/authentication/login_saml_callback/"Can you confirm both applications are web applications?" Yes both are web applications
"Are there any messages on the devtools console" Yes when redirecting to the FA login screen below error show on the console
LocaleSelect.js?version=1.26.1:16 Uncaught TypeError: element.addEventListener is not a function
at new FusionAuth.OAuth2.LocaleSelect (LocaleSelect.js?version=1.26.1:16)
at authorize?client_id=c6bcfb81-7387-4448-92fe-979fbc183864&response_type=code&redirect_uri=https://staging-portal.appdev.bluechipdomain.co.uk/Authenticated:437
at HTMLDocument.value (prime-min-1.4.1.js?version=1.26.1:4)LocaleSelect.js?version=1.26.1:16 Uncaught TypeError: element.addEventListener is not a function
at new FusionAuth.OAuth2.LocaleSelect (LocaleSelect.js?version=1.26.1:16)
at authorize?client_id=076e4363-b470-40df-9ed8-97a41ce1d10c&redirect_uri=%2Fsamlv2%2Fcallback%2F998aa744-18a5-42b9-0dfe-e11f73d68a41&response_type=code&state=eyJhY3MiOiJodHRwOi8vMTAuMTk3LjU1Ljk1OjgwODEvYXBpL3YxL2F1dGhlbnRpY2F0aW9uL2xvZ2luX3NhbWxfY2FsbGJhY2siLCJhaSI6IjA3NmU0MzYzLWI0NzAtNDBkZi05ZWQ4LTk3YTQxY2UxZDEwYyIsImlkIjoiX2VmM2MyYjU0Y2I4Zjg3YTgxNjczIiwicnMiOiIvIn0%3D:437
at HTMLDocument.value (prime-min-1.4.1.js?version=1.26.1:4)"You can log in to each application separately" Yes and redirect back to as defined (sisense to sisense and web app to web app)
-
Hi @dan
If you require any more details or can give some suggestions kindly let me know I am still unable to figure out the error causing here