Friction-free multi application SSO with MFA enabled
-
Hi FusionAuth community!
I'm preparing an upgrade of a FusionAuth instance embedded in my system. The update is quite a big leap - from 1.33.0 to the latest 1.43.1 version. Across those versions lots of changes appeared, so some tweaks in the runtime environment and supporting services were inevitable, but eventually all is working as expected. With one exception - SSO flow with MFA enabled.
In my system I have a set of independent services that are registered in FA as independent applications. Up until now, our users entered the system by accessing one of those services - the service then redirected the user to complete OAuth2 flow via hosted login pages. If the user decided to navigate to other service, then, the authentication (in the scope of the other service) would be performed without user interaction - since he have an active FusionAuth SSO session the whole authentication drills down to just a bunch of 302 redirects. in 1.33.0, the whole process looked the same with or without MFA enabled, with the exception, that the user was asked for the second factor during the initial sign on (when accessing the first service).
After upgrading the process looks different. The first authentication looks the same, but when the user switches between the services, he is being asked for the second factor - he doesn't need to provide username and password (this is what SSO is all about, yes?) but is being asked to provide second factor on each new service accessed.
The new behavior significantly breaks the UX of my system, and I'm looking for an option that allows to tune FA policies to behave like in 1.33.0. Is this behavior anyhow configurable?
As an additional context I have Multi-Factor policies set to Enabled on the tenant level. The setting is not overridden in any of the FA applications. The whole described journey of a user across all the services happens in the scope of a single web browser session, and without the use of the trust this computer for 30 days option.
-
@mgetka Did you get this sorted out?
Nothing comes to mind, other than maybe cookies aren't being saved off during the bouncing of the redirects. The cookies are documented here: https://fusionauth.io/docs/v1/tech/reference/cookies
-
@dan We have the exact problem.
MFA prompt is ruining the SSO experience.
Can you please share which cookie is supposed to handle the MFA trust.
-
For future readers, here are two relevant GitHub issues on this topic.
Please feel free to upvote those issues and/or add comments about your use case. GitHub issue upvotes and comments are the main way for community members to provide roadmap feedback to the FusionAuth team.
-
@dan Also, depending on the workflow, if a user does NOT federate but does NOT check "trust this computer" they will NOT establish "MFA trust". Without trust, a user will be prompted to MFA again. Of couruse, With "MFA trust", they will not be prompted. This answer is implicit to this conversation, but MFA policies and FusionAuth center around this check box and trust (with the current edge case of Federation noted).