• Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login
FusionAuth
  • Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login

Configuring FusionAuth as a SAML IdP for Internal Applications

Scheduled Pinned Locked Moved Solved
Q&A
1
2
398
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    wesley
    last edited by 30 Jan 2025, 21:34

    I’m trying to achieve the following setup:

    1. A Tenant has two external SAML IdPs and wants to add a third option for email and password login using FusionAuth.
    2. This login should be presented as if it were an external SAML IdP.

    Scenario:
    For Tenant T, there are Applications A and B:

    • Application B has the SAML IdP feature enabled.
    • Application A uses a SAML IdP (S), which has the SAML Login URL from Application B as the IdP Endpoint.

    When clicking the button for S on Application A, a SAML request is generated. However, the Issuer in the SAML request references the Id of the Identity Provider S (e.g., https://company-stage.fusionauth.io/samlv2/sp/af59262c-79ba-48c6-a0a2-4ab1d2fc15d3).

    This results in an error:

    "The AuthnRequest contained an invalid issuer [https://company-stage.fusionauth.io/samlv2/sp/af59262c-79ba-48c6-a0a2-4ab1d2fc15d3] that does not map to an Application in FusionAuth."

    I understand the error since this Issuer does not correspond to an Application configured as a SAML SP. The Issuer should be https://company-stage.fusionauth.io/samlv2/sp/{id of App A} instead.
    Does this setup make sense, and could the issue relate to a single fusionauth.* namespace for cookies?

    W 1 Reply Last reply 30 Jan 2025, 21:37 Reply Quote 0
    • W
      wesley @wesley
      last edited by 30 Jan 2025, 21:37

      Yes, it is possible to configure an Application with the SAML IdP feature enabled and use it as an IdP for another Application within the same Tenant.

      The error you’re encountering indicates that FusionAuth cannot find an Application configured as a SAML IdP with the Issuer URL https://company-stage.fusionauth.io/samlv2/sp/af59262c-79ba-48c6-a0a2-4ab1d2fc15d3. This URL corresponds to the Identity Provider you configured in Settings > Identity Provider.

      Resolution:

      To fix this issue, update the SAML configuration for Application B as follows:

      1. Navigate to Application B > Edit > SAML.
      2. Add the Issuer URL (https://company-stage.fusionauth.io/samlv2/sp/af59262c-79ba-48c6-a0a2-4ab1d2fc15d3) in the Issuer field.

      By doing this, FusionAuth will recognize the SAML request and correctly map it to Application B.

      1 Reply Last reply Reply Quote 0
      • W wesley has marked this topic as solved on 30 Jan 2025, 21:37
      1 out of 2
      • First post
        1/2
        Last post