Can FusionAuth federate to itself?

If I am running multiple FusionAuth instances, can one be a SAML IdP and another be the SAML SP?

Yes. You'd need to configure each instance correctly, but this can be done.

Here's how I set up FusionAuth as a SAML IdP (idp.fusionauth.io) and added a 'Login with SAML' button on a FusionAuth instance (local.fusionauth.io). Both servers are running 1.24.0. I do have multiple tenants in both local and demo, but both applications are in the default tenant. (Setting up these servers locally is possible, but beyond the scope of this post.)

• Created a RSA 256 keypair on idp.fusionauth.io in key master (saml test)
• Created a RSA public key and imported the saml test public key into key master on local.fusionauth.io
• Add POST as an allowed CORS method in the local.fusionauth.io settings, with an allowed origin of https://idp.fusionauth.io.
• Created an application (samlsp) in local.fusionauth.io. Added a oauth redirect url to the application.
• Created an application (samlidp) in idp.fusionauth.io. Added a oauth redirect url to the application.
• Configured samlidp application with the following values:
  • enabled SAML on the SAML tab
  • set the issuer to https://example.com
  • added an authorized redirect url: https://local.fusionauth.io/samlv2/acs
  • set the response signing key to 'saml test'. All other response fields are default.
• Configured a SAML identity provider on local.fusionauth.io
  • name: idpfusionauth
  • IdP endpoint: https://idp.fusionauth.io/samlv2/login/a743e2cd-55bb-789c-b076-8846fdd3a51f ( pulled from the applications details screen of the samlidp application)
  • use nameid for email: true
  • verification key: use the certificate of the aforementioned saml test public key (not the public key!)
  • use post method: false
  • sign request: false
  • applications: samlsp enabled and registration enabled
• Updated the issuer on the samlidp application SAML screen. Set the issuer to https://local.fusionauth.io/samlv2/sp/dfd114b9-7b57-446d-8f60-ec6689f47da4. This value is pulled from the local.fusionauth.io SAMLv2 Identity Provider details. Note that you may need to trim this value, as when you copy it there may be spaces in front or behind, and if you don't remove them, you'll see a The AuthnRequest contained an invalid issuer message.

By following these steps, when you open up an incognito window and go to the login page of the samlsp application, you will see a 'login with saml' button, and then you can login with that.

This also works with an OIDC provider and from tenant to tenant in the same FusionAuth instance. Assume you have an app (app1) in your existing tenant and you want to allow users in a different tenant to log in to app1. You can do this with an identity provider.

To do so:

• create a new tenant in your FusionAuth instance
• create an application in the new tenant (app2)
  • add an authorized redirect URL of https://yourinstance.fusionauth.io/oauth2/callback
  • make sure the authorization code grant is checked.
• create a user in the new tenant
  • use same email address but a different password
  • register the user for app2
• create an OIDC identity provider
  • the name should be app2 IDP
  • update the button text to say 'log in with app2 in a different tenant'
  • the client identifier and secret should be the app2 client id and secret
  • the scope should be openid profile email
  • the authorization URL should be https://sandbox.fusionauth.io/oauth2/authorize
  • the token URL should be https://yourinstance.fusionauth.io/oauth2/token
  • the userinfo URL should be https://yourinstance.fusionauth.io/oauth2/userinfo
  • enable the OIDC identity provider for app1 and make sure to create a registration for that application when a successful authentication is done.

When you visit the app1 login screen, you should now see a button prompting you to log in with app2.

This allows you to do cross tenant enterprise sign on within the same FusionAuth instance.