fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Support RelayState as redirect URL for IdP initiated SAMLv2 login

Open janjongboom opened this issue 2 years ago • 4 comments

Support RelayState as redirect URL for IdP initiated SAMLv2 login

Problem

This is the same feature request as https://github.com/FusionAuth/fusionauth-issues/issues/1785 - but that was closed complete, and wanted to give some more context on why the workaround in that issue does not work.

The workaround in #1785 (adding ?redirect_uri) does work for IdP initiated logins, but creates invalid requests for SP initiated logins because the ACS URL no longer matches whatever is in the system. Example error message:

Invalid request, ACS Url in request https://stablebuild.fusionauth.io/samlv2/acs doesn't match configured ACS Url https://stablebuild.fusionauth.io/samlv2/acs/?redirect_uri=https%3A%2F%2Fdashboard.stablebuild.com%2Fcallbacks%2Ffusionauth%3Furl%3D%252Forganizations%252Fstablebuild.

This creates a problem where (as far as I can see) it's not possible to have one SAML identity provider that supports both IdP initiated and SP initiated logins if the provider requires ?redirect_uri passed in. I've done a complete write-up on trying to get this configured for Google Workspace here: https://fusionauth.io/community/forum/topic/2551/google-workspace-saml-v2-both-idp-initiated-sp-initiated-logins

Solution

Either:

  • If there's a URL in the RelayState - use that as the redirect URI.
  • Loosen the check for 'Invalid request, ACS Url in request' - so we can stick a ?redirect_uri in ACS URLs, even for SP-initiated logins.

Related issues

  • https://github.com/FusionAuth/fusionauth-issues/issues/2399

Alternatives/workarounds

I've put my complete thought process (with screenshots and various configs) in https://fusionauth.io/community/forum/topic/2551/google-workspace-saml-v2-both-idp-initiated-sp-initiated-logins

Additional context

FusionAuth version: 1.47.1 (hosted version, Starter license).

janjongboom avatar Nov 08 '23 14:11 janjongboom

I believe this should already work as you expect.

If it is not, we should investigate.

robotdan avatar Nov 10 '23 02:11 robotdan

Internal:

We should review how RelayState is used in the path, I believe it should be working already.

Perhaps we just have a documentation issue, or perhaps a bug in the code.

robotdan avatar Nov 10 '23 02:11 robotdan

@robotdan I'm having very similar issues with Okta trying to get both IdP and SP initiated logins to work.

  • Using the Callback URL (ACS):
    • SP initiated works, IdP initiated fails w/ "The request is missing a required parameter: redirect_uri" (RelayState is set)
  • Using the IdP Initiated Callback URLs (ACS):
    • IdP initiated works (RelayState is respected), SP initiated fails with "Invalid redirect_uri Y2xpZW50X2lkPTRkOWMyMzE4LThhZjEtNGRjYS05MTE3LWU3MWQ4OTgzYjVhZSZjb2RlX2NoYWxsZW5nZT0mY29kZV9jaGFsbGVuZ2VfbWV0aG9kPSZtZXRhRGF0YS5kZXZpY2UubmFtZT1tYWNPUyUyMENocm9tZSZtZXRhRGF0YS5kZXZpY2UudHlwZT1CUk9XU0VSJm5vbmNlPSZyZWRpcmVjdF91cmk9aHR0cCUzQSUyRiUyRmxvY2FsaG9zdCUzQTgwMDElMkZjYWxsYmFja3MlMkZmdXNpb25hdXRoJTNGdXJsJTNEJTI1MkYmcmVzcG9uc2VfbW9kZT0mcmVzcG9uc2VfdHlwZT1jb2RlJnNjb3BlPSZzdGF0ZT0mdGVuYW50SWQ9YTNmNWE3N2YtZThhYS01NWQwLWE3Y2ItZGU3MmY5Y2RlYWU0JnRpbWV6b25lPUV1cm9wZSUyRkFtc3RlcmRhbSZ1c2VyX2NvZGU9JmNzcmY9TVRTaHJtWlJFT3BfcHJNaCZpZGVudGl0eVByb3ZpZGVySWQ9OGZlZWE4MjctMzYwNS00MjNjLWIxOGItYzk1Y2U0NTRjYTY3","

Perhaps we just have a documentation issue, or perhaps a bug in the code.

Someone doing a writeup of both IdP and SP initiated logins using a single identity provider would be tremendously helpful. The docs always split this up. There's an IdP-initiated login tutorial for Okta, and an SP-initiated login tutorial for Okta; both using different URLs. There is not one that does both. I've been banging my head against this wall for the past two weeks, and I assume this should be a pretty common usecase.

https://github.com/FusionAuth/fusionauth-issues/issues/2399 seems to be the same issue.

edit I can get Okta to work by configuring the "IdP initiated callback URL" as the default SSO URL and configuring the "Callback URL (ACS)" under 'Other Requestable SSO URLs'. That would be good to be in the FusionAuth docs.

janjongboom avatar Nov 20 '23 11:11 janjongboom

@janjongboom I tested out using a single FusionAuth identity provider for both SP and IdP-initiated auth. I've got it written up, but not published in any of our docs yet. It feels a little wordy to paste a bunch of markdown into this issue, so I'm going to attach it as a PDF. Could you let me know if this is what you are trying to achieve?

FusionAuth-with-KeyCloak-as-IdP.pdf

andrewpai avatar Feb 28 '24 01:02 andrewpai