@steven-bedford

We may need more information regarding your setup. If you feel like you are having a bug, I would encourage you to log one below:

https://github.com/FusionAuth/fusionauth-issues/issues/new/choose

Thanks,
Josh

Updated the documentation to reflect where the claims are pulled from more precisely: https://github.com/FusionAuth/fusionauth-site/pull/1636

Please do let me know about the escaping of the claim when you get a chance, @nathan .

@lsmith said in 2FA On Login:

Is it possible to have Two Factor Authentication in conjuction with Google and OpenId Identity Providers when using the hosted login pages?

Nope. This is because when you are using an identity provider, the identity provider is assumed to have done everything needed to authenticate the user. FusionAuth is delegating everything to that.

You could, if you need to, immediately do a "step up" auth in your application, but FusionAuth won't take care of this for you.

If you'd like to submit a feature request for this further explaining your use case, feel free to do so (you can reference this forum post): https://github.com/fusionauth/fusionauth-issues/issues

@kayweng-foong

How I can use OAuth authorize endpoint without fusionauth login UI ?

It depends on which grant you want to use. If you want to use the Authorization Code grant, which is what we typically recommend, then you are going to use the FusionAuth login UI (which can be customized via themes).

If you want to use the password grant, you can build your own UI. There's more on that grant here: https://fusionauth.io/docs/v1/tech/oauth/

If you don't care about using OAuth at all, but just want login functionality, you can use the Login API: https://fusionauth.io/docs/v1/tech/apis/login

If you want SSO between different applications, however, you need to use the Authorization Code grant. You are right, there's other related functionality (cookies, etc) that is required for SSO that is managed by the FusionAuth UI (often called the "hosted login pages").

There's an open issue: https://github.com/FusionAuth/fusionauth-issues/issues/1515 to allow for more management of the SSO session via API. Please feel free to upvote this issue and/or add your use case to the comments, as that helps us with our roadmap planning.

@charles-harris-de

Hiya,

Microsoft documentation is abundant and confusing, but this SO question seems to give you an answer: https://stackoverflow.com/questions/66643625/azure-ad-fetch-tenant-id-using-client-details

They suggest using the client credentials grant and retrieving a token. You'd have to use Lambda HTTP Connect to make this call from inside one of the FusionAuth lambdas.

I have not tested this. Please let me know if you found other workarounds or solutions.

Thanks @joshua I'll transmit the link to our infra team. Hopefully upgrade will happen soon. Currently we use version 1.28.1, from one year ago. Do you think upgrade could affect JWT signatures ?

An update.

So, I tried adding another IdP. This time with MS/Azure AD (using the tutorial https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/azure-ad). While going through the process, it seems that the port number was also added this redirect_uri here. So my guess is, it's hardcoded somewhere for the IdP stuff, and get inserted as part of the redirect without checking the domain/port FA is currenlty being run on.

@barb_flannery Hi, I discovered that by enabling Java Script for Safari on both iphones solved this problem.
I don't know how to mark this question as "Solved" - If anyone that reads this knows how to close it - please do so.
Many thanks.
Barb

@nalenz-divizend

Thanks for the heads up - this is being reviewed under ->

https://github.com/FusionAuth/fusionauth-issues/issues/1894

Thanks!
Josh

@abehari

Marking this as "solved" as this was addressed out of band. Let us know if there are any other questions.

Thanks,
Josh

@devops-1

Marking this as resolved as this was solved out of band from this forum.

https://fusionauth.io/docs/v1/tech/installation-guide/cloud#limits

related documentation about adding a whitelist entry.

@blake-whittle

FusionAuth deploys quickly for a multitude of devices and platforms.

https://fusionauth.io/download

We have an installation guide below

https://fusionauth.io/docs/v1/tech/installation-guide/

Finally, you can always reach out to our sales team for a good ole fashioned demo of how it can be deployed and used:

sales@fusionauth.io

I hope this helps!

Thanks,
Josh
FusionAuth

@dan said in SAML invalid timestamp.:

@joseantonio

We opened a bug and reviewed our SAML code and were unable to replicate the issue.

Here's the bug: https://github.com/FusionAuth/fusionauth-issues/issues/1486

If you can add any replication steps or other information to this bug, that would be very helpful. Otherwise we'll close it out in a week or so.

@joshua okay thank you bro

@johnathon

One approach would be to append the parameter idp_hint to the login URL to redirect a user to the appropriate IdP login page. Please read the hints section in our documentation for more information.

Another way to disable the password and email login for a user would be to set their password to a random 25-character string. This would make the password essentially impossible to brute force and thus impossible for them to log in via the hosted login page.

FusionAuth supports SCIM as of 1.36. More details here.

@md-tanveeraj Can you confirm how you are intergrating Google?

The two most common implementations of Google + FusionAuth are via the hosted pages (where you have FusionAuth display a login with google - https://fusionauth.io/docs/v1/tech/identity-providers/google) or via writing your own login page and Google integration (login with google via API - https://fusionauth.io/docs/v1/tech/apis/identity-providers/google#complete-the-google-login)

I might need some more context to be able to provide additional assistance.

Thanks,
Josh

@jeancarlo

Please see my out-of-band communication to you directly.

@pablo Thanks for the feedback! This would be a great feature request to log in outlining your requirements:

https://github.com/FusionAuth/fusionauth-issues/issues/new/choose

To note, we do record some metadata around a user login (user-agent, etc).

Thanks,
Josh

@francis-ducharme

To confirm, you are:

Sending the user to a page such as: https://local.fusionauth.io/oauth2/authorize?client_id=85a03867-dccf-4882-adde-1a79aeec50df&response_type=code&redirect_uri=https%3A%2F%2Fthird.com The user will click login with Google or be redirected automatically to Google (if using an idp_hint, for instance)

In this case, FusionAuth will redirect to https://third.com (example only) but could just as easily redirect to https://fourth.com depending on step one. In either case, all possible redirect URLs for your application need to be previously defined on the OAuth configuration for that application.

Also, we do have a few github issues allowing a wildcard to be defined for a redirect URL.

https://github.com/FusionAuth/fusionauth-issues/issues/437

With more context, I might be able to provide additional feedback. Depending on context, deeplinking might also be something worth exploring

https://www.youtube.com/watch?v=-vx5rdy-mvY

Thanks,
Josh