@dan Also, depending on the workflow, if a user does NOT federate but does NOT check "trust this computer" they will NOT establish "MFA trust". Without trust, a user will be prompted to MFA again. Of couruse, With "MFA trust", they will not be prompted. This answer is implicit to this conversation, but MFA policies and FusionAuth center around this check box and trust (with the current edge case of Federation noted).
Posts made by joshua
-
RE: Friction-free multi application SSO with MFA enabledposted in Q&A
-
I am having issues upgrading my containerized version of FusionAuthposted in Q&A
I'm seeing this message:
exec /usr/local/fusionauth/fusionauth-app/bin/start.sh: exec format errorwhen I try to upgrade FusionAuth. I'm running containers.
-
RE: Error validating SAML logout requestposted in General Discussion
@dan continuing in a support thread.
-
RE: All system emails fail to send, but test email worksposted in General Discussion
Note for future folks -
Resolved under this issue https://github.com/FusionAuth/fusionauth-issues/issues/1742
And in version 1.44
https://fusionauth.io/docs/v1/tech/release-notes#version-1-44-0
-
RE: Facing 'Cannot read properties of undefined (reading 'findIdentityProviderScriptByFileName')' console error in google sso sometimes.posted in General Discussion
Thanks for the question.
This may be related https://github.com/FusionAuth/fusionauth-issues/issues/2019. If it is, there is a workaround listed that you could attempt.
Thanks,
Josh -
RE: events to webhookposted in General Discussion
@lambert-torres replied out of band to this forum. This may have been addressed in version 1.38.0 and beyond.
Thanks,
Josh -
RE: Outages of the Hosted Serviceposted in General Discussion
Since FusionAuth hosts each customer on their own servers (you are not sharing hosts with other customers as in a traditional SaaS model), you can determine when (or if) you want to upgrade your server in FusionAuth Cloud.
If you would like to further weigh your options, you can reach out to our sales team for advice on what may best support you.
Thanks,
Josh -
RE: Idp link event not firing - am I doing something wrong?posted in General Discussion
Thanks for the question -- I don't think that this will work in the way that you intend.
I would have to test to be sure, but if FusionAuth cannot make the user (based on your chosen user provisioning policy), then this user will not be created and thus not linked, and therefore this event will not fire.
https://fusionauth.io/docs/v1/tech/events-webhooks/events/user-identity-provider-link
Depending on your desired outcome, it might be best to change your linking strategy (to create this user when linking) and then use
user.createwebhooks. You could fail this transaction if certain requirements are not met (thus the user will not be created and linked).I hope this helps!
Thanks,
Josh -
RE: Identity provider logoutposted in Q&A
@quent Thanks for the question!
To note, each IdP will handle logout differently. It would be hard for FusionAuth to know how to log each user out of disparate systems. Killing each user session is specific to that IdP implementation. In the FusionAuth logout process, we will call a logout endpoint of your choosing. In that endpoint, you could have your integration call the IdP to remove the user's session.
I hope this helps!
Josh
-
RE: Performance issues after upgradeposted in Q&A
@paul-fink marking this thread as being addressed out of this forum band.
-Josh
-
RE: Issue starting up docker image with FUSIONAUTH_APP_ADDITIONAL_JAVA_ARGSposted in General Discussion
Thanks for the question - if you remove the quotes from your args, that may resolve the issue.
- FUSIONAUTH_APP_ADDITIONAL_JAVA_ARGS=-Djavax.net.ssl.keyStore=/fusionauth/example.p12 -Djavax.net.ssl.keyStorePassword=****Our documentation may need to be updated to address this
https://fusionauth.io/docs/v1/tech/admin-guide/securing#custom-keystore
Josh
-
RE: SAML v2 with Azure AD & Djangoposted in Q&A
Is this still an open issue for you? If so, including the debug information (and turning on debug for the SAML IdP can be helpful) as you complete the SAML handshake.
- Josh
-
RE: SAML response from Google Workspace- Picture field ??posted in Q&A
@leandro-menagonzalez Sorry - I was traveling for a bit and then under the weather.
Were you able to resolve this?
If not, my understanding is that this would be a mapping problem. Essentially, Google would have to be instructed to send over a profile pic url, and FusionAuth would consume that in the AuthN response. Further, a reconcile lambda can be used to grab this URL attribute and store on the user, etc. Let me know if I am misunderstanding the issue.
Josh
-
RE: SAML response from Google Workspace- Picture field ??posted in Q&A
Thanks for the question. If I am understanding correctly, if you are expecting a certain attribute to be returned in an AuthN response, this would require additional configuration on the part of Google. Is there a configuration tool on that side to add an additional attribute to be sent in an AuthN response?
Thanks,
Josh -
RE: Local oauth2/token endpoint returns missing grant_type errorposted in General Discussion
Hi @josh-dura -
Is this still an open issue for you? The event logs are stored in the DB, so you should be able to access them by navigating in the admin UI (
system > events log) to get a better idea of what might be occurring.Thanks,
Josh -
RE: all extended data are saved as arraysposted in General Discussion
Can you please provide some context as to what you are looking to achieve?
Are you storing this data on the
user.data.*fields? How are you storing this data/arrays programmatically?Thanks,
Josh -
RE: Problem between oauth2/authorize code and oauth2/token in androidposted in Q&A
Hi @cgonzalez
Can you confirm how quickly you are completing the exchange for a token using the code?
"auth_code_not_found"The code may not be available if:
- It has expired or
- It as already been used to obtain a token.
Thanks,
Josh -
RE: Using native apple sign inposted in Q&A
@tashi This failure is related to how you are asking FusionAuth to complete the login.
For apple, you must complete a hybrid grant.
At a high level, here is how you will use the FusionAuth IdP Login API with Apple when you are not using our hosted login pages.
- Begin the Authorization Code grant with Apple using a hybrid grant response_type=code id_token.
- Collect the two tokens code and id_token sent to you by Apple on the redirect URL specified by the redirect_uri query parameter.
- Send these two values to the FusionAuth IdP Login API. Do not complete the Authorization Code exchange with Apple using the Token endpoint.
Please also note that Apple has a separate configuration for Web and Mobile-based authentication. There are a few open issues that may be worth reviewing as well and could be influencing the behavior you are seeing
- https://github.com/FusionAuth/fusionauth-issues/issues/778
- https://github.com/FusionAuth/fusionauth-issues/issues/1248
Josh
-
RE: Removal of softwareposted in General Discussion
@markdoner27 This is a far-reaching question. Please feel free to post your question specifically as it relates to FusionAuth and we may be able to provide additional feedback.
-Josh