SAML SSO for application under tenant

harish_reddy · 26 Aug 2020, 09:06

I have created an application under a tenant other than the default tenant.

Configured issuer, ACS in the application.

I checked the issuer in SAML Authn request, it is matching the issuer configured in application.

The request is blocked with error message

FusionAuth is unable to complete this request due to an invalid tenant Id. This error is unexpected. Contact Support.

Can you please help with this error.
TIA

harish_reddy · 26 Aug 2020, 13:46

The worst part about the issue is - there is no event log even though debug is enabled in application SAML configuration.

harish_reddy · 26 Aug 2020, 14:58

I am able to debug the issue.

The SP was redirecting to /samlv2/login/9876d2-xyz-abc-pqr-123450e5b/idp/profile/SAML2/Redirect/SSO?SAMLRequest=

instead of /samlv2/login/9876d2-xyz-abc-pqr-123450e5b?SAMLRequest= as suggested in IDP metadata

Definitely error message can be better.

I guess Fusionauth is trying to identify a tenant for "9876d2-xyz-abc-pqr-123450e5b/idp/profile/SAML2/Redirect/SSO" and failing to find a tenant.

dan · 26 Aug 2020, 19:21

I'm glad you were able to debug the issue. This seems like a bug, but how did you fix it?

dan · 6 Aug 2021, 13:08

As of version 1.29.0, we've added a lot more SAML debugging. I'd be interested to know if anyone else runs into this issue and if the extra debugging helps resolve the issue more quickly.

Cheers!
Dan