I have noticed you have been working on an MFA revamp. The last time I checked if I remember correctly, FusionAuth did not have UI for initial MFA setup and MFA login for the user and you had to implement that yourself with the endpoints provided (I hope I am remembering that correctly).
Will you cover this with the revamp and if not is this on the roadmap at all?
Thank you.
@donal I have tried dumping all 3 lambda parameters to be sure but the documentation here https://fusionauth.io/docs/v1/tech/lambdas/openid-connect-response-reconcile/ confirms that jwt is just the response of the Userinfo endpoint (you can find that at the end of the first section).
I also found an issue on Github https://github.com/FusionAuth/fusionauth-issues/issues/323 and left a comment there. Also it doesnt seem there is a workaround for this.
I am slightly confused that this is rarely mentioned as a problem, especially when it comes to Azure AD, which I would assume is the most popular identity provider for companies/enterprises. But im just having a hard time finding a solution. Maybe im just doing it wrong.
@dan would you spare some more details of how this can be done? As I understand Userinfo endpoint response does not contain id_token/access_token and they can only be found in Token endpoint response (at least this can be inferred from the Event log).
Thanks.
I am currently testing a multi-tenant Azure AD via OpenID connect identity provider in FusionAuth too. Did you add openid scope to the OpenID Connect identity provider? Also check the contents of the access/id tokens you are getting from Azure AD if email is in there.
If I understand correctly FusionAuth is trying to find an email claim first and only when it does that successfully it will run a reconcile lambda. So if it cannot find an email claim it will not run your lambda. At least thats what I experienced.
I am currently trying to find a way to populate jwt with additional claims (tid - tenant id) from the Azure AD tokens and it seems that reconcile lambda does not have access to those either.
I am slightly confused of how a multi-tenant B2B SaaS setup should look like when we are talking about OpenID Connect with Azure AD. We are considering of getting a self-hosted FusionAuth instance but seems that I cant sort out the flows.
The goal here is to support SSO via Azure AD for clients that want to stay in control of their users within the company.
Configuring FusionAuth for multitenancy, meaning every new client(organization) maps to a tenant in FusionAuth 1:1 also means that you have to create a new identity provider for each application that wants to be able to authenticate via their Azure AD. However we are talking here about the same application on every tenant. The problem with this is that you have to explicitly know which tenant the anonymous user wants to login to beforehand so it can present with the right FusionAuth "login screen" for them with the right idp.
Am I correct or am I missing something here?
What is a typical login flow in such a setup?
Is there a way to have a generic idp for any Azure AD tenant? (Technically Azure AD can be configured for multi-tenancy but then there would have to be a logic somewhere in FusionAuth idp that would check if the incoming microsoft user is in the allowed tenants/emails list)
I have been trying to understand how different vendors deal with this but I cant seem to find a clear path.
Thanks in advance.
Yes, paid version is fine for us. We are just looking for an OAuth solution with enterprise identity providers and MFA that doesnt require too much work to get started.
Great. Seems like this is included in the revamp. I cant find it mentioned anywhere, but is it possible to override the default html templates of the forms so it resembles our application UI theme?
Thanks.
I have noticed you have been working on an MFA revamp. The last time I checked if I remember correctly, FusionAuth did not have UI for initial MFA setup and MFA login for the user and you had to implement that yourself with the endpoints provided (I hope I am remembering that correctly).
Will you cover this with the revamp and if not is this on the roadmap at all?
Thank you.
Hi,
Since I could not find anything regarding invitation based membership I would like to know if there is an easier workaround than what I will describe here.
The desired flow is that an existing member could invite a new user via email. A new user would set their personal information and password and becomes a member.
Is this possible with FusionAuth or is there an easier way? Is there a chance that this https://github.com/FusionAuth/fusionauth-issues/issues/743#issuecomment-664365516 will be implemented?
Thanks