@impackt Great, glad you have a path forward.

@eirikur That is awesome, thanks so much for sharing your settings.

This also works with an OIDC provider and from tenant to tenant in the same FusionAuth instance. Assume you have an app (app1) in your existing tenant and you want to allow users in a different tenant to log in to app1. You can do this with an identity provider.

To do so:

create a new tenant in your FusionAuth instance create an application in the new tenant (app2) add an authorized redirect URL of https://yourinstance.fusionauth.io/oauth2/callback make sure the authorization code grant is checked. create a user in the new tenant use same email address but a different password register the user for app2 create an OIDC identity provider the name should be app2 IDP update the button text to say 'log in with app2 in a different tenant' the client identifier and secret should be the app2 client id and secret the scope should be openid profile email the authorization URL should be https://sandbox.fusionauth.io/oauth2/authorize the token URL should be https://yourinstance.fusionauth.io/oauth2/token the userinfo URL should be https://yourinstance.fusionauth.io/oauth2/userinfo enable the OIDC identity provider for app1 and make sure to create a registration for that application when a successful authentication is done.

When you visit the app1 login screen, you should now see a button prompting you to log in with app2.

This allows you to do cross tenant enterprise sign on within the same FusionAuth instance.

Yes, you could connect one FusionAuth to another using an OpenID Connect Identity Provider or SAML v2.

Different people use various items. You can do direct partnerships, as I've seen our vendors do with Duo, or you can roll your own ADFS, as I spoke with a company yesterday that was doing. If you're comparing options, I'd also look at Okta.

Go talk to the people who make identity products and ask them to sell it to you. It appears that you have no idea what you're asking, so it's either that or hire a consultant to tell you.

Yes, you can have FusionAuth simply federate identity and not hold anything permanent in its own datastore. SSO should work in that case.

Two options:

If your existing user store can speak SAML or OIDC, you should be able to use an identity provider https://fusionauth.io/docs/v1/tech/identity-providers/ You would need to modify the theme and you'd probably want to use a hint. If your existing user store can speak LDAP or a JSON API, you can use connectors without migrating (this is a feature for which you must buy at least a developer license, starting at 125/month, more here: https://fusionauth.io/pricing/ ). Here's more on connectors: https://fusionauth.io/docs/v1/tech/connectors/

In both these cases, FusionAuth communicates with your userstore through some kind of facade, not directly with the database. Such direct database access isn't supported.

I'm not sure how this will work for all aspects of FusionAuth (password expiration, passwordless, etc) but for the main login flows it should work great.

Looks like you added an issue: https://github.com/FusionAuth/fusionauth-issues/issues/668

Thanks!