FusionAuth as SAML relying party and custom login pages
-
Hello,
We have a setup where we use custom login pages for our applications and we use FusionAuth strictly as an API for managing our authentication infrastructure.
One of our applications now needs to support SAML as an option to login. We are trying to add a button to our pages for Login with SAML, but are a bit lost on what we are actually required to do in this scenario.
The SAML API endpoints seem to suggest, we should be to initiate a SAML request by using the Start a SAML login request, but it is not very clear in what the returned code is supposed to be?
Is this the code that is meant to be a SAML request that is supposed to be posted to our SAML IdP or is this code needs to included as a relay state and we build the SAML request our selves?
Can you please clarify @robotdan . Thank you
Cheers
-
Docs are opaque, but I believe you need to put the
codevalue returned by the start call into theinResponseTovalue of the SAML request you are making.I'd have to test this to be sure, but I think the sequence is:
- call FusionAuth to get a
code(the start call) - Build your SAML request, putting the
codeinto theInResponseTofield of your SAML request. - Send the SAML request off
- Get the response in XML
- Call FusionAuth to complete the login (the complete call). Make sure you put the SAML response in the
data.samlResponsefield when calling complete.
Please try that. Make sure you are enabling
debugand reviewing the Event Log.And let us know how it goes. I'd like to update the documentation to be more clear.
- call FusionAuth to get a
-
@dan Thanks for this. You are bang on point.
- We had to make a call to FusionAuth to fetch the code(requestID)
- We built a AuthN request that looked something like this:
var samlRequestTemplate = `<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ns3:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns4= "http://www.w3.org/2001/04/xmlenc#" Version="2.0" ProviderName="${idpName}" ID ="${CODE_FROM_FUSIONAUTH}" IssueInstant ="{issueInstant}" Destination="${idpEndpoint}" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="${acsUrl}"> <Issuer>${issuer}</Issuer> <ns3:NameIDPolicy Format="${nameIdFormat}" AllowCreate="false" /> </ns3:AuthnRequest>`;- Post this request to the Identity Provider.
- Complete the login flow and catch the response from IdP. It has the code included as a InResponseTo attribute within the encoded samlResponse.
- Call fusion to Complete the Identity Provider Login.
Then on it is the same flow as a normal Login API based login.
Cheers
-
@varunghaswala said in FusionAuth as SAML relying party and custom login pages:
<ns3:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:ns4= "http://www.w3.org/2001/04/xmlenc#" Version="2.0" ProviderName="${idpName}" ID ="${CODE_FROM_FUSIONAUTH}" IssueInstant ="{issueInstant}"
Destination="${idpEndpoint}" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="${acsUrl}">
<Issuer>${issuer}</Issuer>
<ns3:NameIDPolicy Format="${nameIdFormat}" AllowCreate="false" />
</ns3:AuthnRequest>`;Ah, great, so it is the
IDwhich needs to be used as the code. I will update the documentation. Thanks so much for confirming. -