FusionAuth Forum

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

849 result(s) matching "", (0.03 seconds)

M SAML application login request support an idp_hint

Can a SAML application login request with an idp_hint query string parameter send the user directly to an IdP login screen?

Q&A

•

M Generic messenger re-try logic

Does the generic messenger have re-try logic built-in on failure? I see that webhooks support re-try logic.

Q&A

•

T SAML v2 populate not working

I have FA configured as a SAML v2 IdP. I'm trying to update the user and/or registration objects via the populate lambda. Just doing something like this doesn't seem to have any affect...

function populate(samlResponse, user, registration) {
  user.mobilePhone = '444-123-4567';
  user.data.mobilePhone = '555-123-4567';
  registration.mobilePhone = '666-123-4567';
  registration.mobilePhone = '777-123-4567';
}

Is there a 'save' step that I'm missing or some other mechanism to get those changes to 'stick'?

Q&A

•

D The Best Ways to Use FusionAuth for Multi-Factor Authentication (MFA)

Hello Everyone ,

I'm currently utilising FusionAuth to create Multi-Factor Authentication (MFA) in an effort to strengthen the security of our application. Even though the material has been quite beneficial, I wanted to ask the community of some more tips and best practices.

I have the following specific queries:

Designing User Experience (UX): In order to guarantee a seamless and simple user experience, how have you incorporated MFA into your application's login process? Which UI/UX guidelines or design patterns have you discovered to be very successful?

Authenticator apps versus SMS: What aspects of employing SMS-based codes versus the authentication tool apps (such as Authy or Google Authenticator) did you take into account? Did user preferences or security considerations influence your choice in either direction?

Fallback Procedures: What backup plans do you have in place in case a user misplaces or deletes the authenticator app, losing access to their primary MFA method? In these situations, how can security and usability be balanced?

Scaling and Performance: Have there been any performance problems for those of you who have used MFA in large-scale applications? If yes, how did you respond to them?

Regulations and Conformance: Does your MFA deployment approach take into account any particular compliance requirements or legislation (such GDPR, HIPAA, etc.)? How did you make sure your implementation complies with these specifications?

https://fusionauth.io/articles/authentication/multi-factor-power-apps -authentication

I would be interested in knowing about your implementation process experiences and any difficulties you encountered. I would be grateful for any advice, code snippets, or tools you could provide.

Thank you in advance.

General Discussion

•

I What is the webhook guarantee?

Hello

I am wondering about the implementation of the webhooks of fusionauth
What is the guarantee of delivery? Is it "at least once"?
Could a request be dropped (for example, if the upstream service is down)?
I would also appreciate a bit of explanation of how it works as I'm interested in these mechanisms.

Thanks.

Q&A

•

A creating FusingAuth "Application" with SAML 2.0 conneciton - get error "invalid AssertionConsumerServiceURL"

Hello,

My service provider works fine with many other SSO providers, but errors with FusionAuth.

I can see the (SAML SP Initiated) request is going to FusionAuth, but FusionAuth is returning back with this response: The AuthnRequest contained an invalid AssertionConsumerServiceURL

Can you tell me how to figure out what FusionAuth doesn't like? (like said, works fine with many other SAML SSO Idp's)

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<ns3:Response xmlns:ns3="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" Destination="https://platformqa.xxxxxx.com/Saml/AssertionConsumer" ID="_5fa02b8c-2d8f-4d50-9d50-1d000032e081">
<Issuer/>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_5fa02b8c-2d8f-4d50-9d50-1d000032e081">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>V6r7cdZvQUFj6RKP65sFB4CbB3xBJ59eQPvgB0nwIBY=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>XDAzUJVpA63kME8Mfy3V2OK79gfxCgTo5sqc1Gw3Z77i7ysh6g3g5GidbU/fu4xWn6SbPuSuxZTM1fjupeaknqocJsvSba7rHOBUmL43JYQR8/a2IrtuW18gRrX3gdnudSVX6ugoovJQw1ix+lB5I18tpUiNOLaCEzBg7Tl7RlcP4iEwbPnGV5JqyrPjBqE32i5BTfPMLnmL1QvUQE1kl4eWDXc/CvFtjhJheYymIE4aipOCzC7dyunL7BwZ3Bvf1B/xJljDER0aUqn9BGZT8cIcTcO85xxTWf/Z5NfMcFmHgvVY0LlKJqMH8h94V5hjrzHuQ6FQCt+Icr+CwyX01A==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIICzDCCAbSgAwIBAQIQPFwUzvRxR1e2MjvPwnbYnDANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQDExdncmJpbmNkZXYuZnVzaW9uYXV0aC5pbzAeFw0yNDA3MjUxOTAyMjZaFw0zNDA3MjUxOTAyMjZaMCIxIDAeBgNVBAMTF2dyYmluY2Rldi5mdXNpb25hdXRoLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs5WuRr+f1dDA0b63IUqMyRapijzdCNaMXZSmgcuDM5CFvY10IWLikTekhjrW/E1wjCE0srolnbOfnvtRGLNJaDbP8hl0vC2xMYBJbFWSQC6Fdsz5MRVKv4xFoa8HiEbx1iTkkbrQoRSLcR1TIGBV2OxPcBL8N7Zw4SQnhlfZdGF+nujVVfP7fk7gKu5/n+O77Ep8Vm3nVxM32xmflquiV7+X8HWARpy3q/n1ex7wiuBsgptMPQ/ByVT+87yGX1sS0zK06SksAbYhm6EfajV4uPWUcUDuKee6hSlzolKNRUnNfgRhvwLnNNTRyq89RESRXoduMiJXNzuQ7pRynTgG8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCWYBwSuNUnRrMNGDcCcp/AtUoegSq5q6cHtYEO8kyqEEt3CvJRgx9wplBGTteZ38FZ5KcAegGn4tNAs6OD8aoS5h/5dvZuJ+ZXxu+jqaNGd7vOKavZG1XQeGAP0DPP5iCUo73OV2iaA4FpzkX6bRipVIBD+NDaXVfTkac4yHDtz0FTRMpPMMxk1I/08s+1KuunKato8w3SY6flOhuVwciShetUn39X0RLsRlQwwpYQFgxBfi9VJtoKZ1xOMwkB9bzxsXGpi6CrQMGDro4ndsfN1WERW9LSYR+ZDCkweW3YkXgMLwefE3Vyj7ZS256EmYMzr221XHX5ynQTKMjvf4S4</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
ns3:Status
<ns3:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"/>
ns3:StatusMessageThe AuthnRequest contained an invalid AssertionConsumerServiceURL [https://platformqa.xxxxxx.com/Saml/AssertionConsumer?binding=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST]</ns3:StatusMessage>
</ns3:Status>
</ns3:Response>

General Discussion

•

T SAML redirect change to GET

When setting up SAML for an application, I understand it will redirect to the first entry in the ‘Authorized redirect URLs’ config setting. When it does that redirect, it seems to do it as a POST. Is there a way to change that to a GET?

Q&A

•

D STMP failure after upgrade from 1.37 to 1.51

We updated our FusionAuth-hosted instance last night from version 1.37 to version 1.51 because of the XSS vulnerability in the FusionAuth admin application.

Prior to the upgrade, our STMP integration was operable, afterwards it is not. We have verified that the email provider is accessible (our app's backend uses the same provider), and the configuration does not seem to have changed, using port 587 and TLS. The email provider is paubox, so the host is smtp.paubox.com.

Sending a test email from the tenant editing screen produces:
Unable to send email via JavaMail

Prime Messaging Exception
Exception reading response
Cause: SocketTimeoutException: Read timed out

Triggering a welcome email to be sent results in the following in the Event Log (Debug is enabled)
Async Email Send exception occurred.

Template Id: 006c9493-53c7-4e74-9332-************
Template Name: ******* - Welcome Email - Dev
Tenant Id: 00000000-0000-0000-7661-**********
Addressed to: *******

Cause:
jakarta.mail.MessagingException : Message: Exception reading response

App Log is reporting:
DEBUG: Jakarta Mail version 2.1.2
DEBUG: URL jar:file:/usr/local/fusionauth/fusionauth-app/lib/smtp-2.0.2.jar!/META-INF/javamail.providers
DEBUG: successfully loaded resource: jar:file:/usr/local/fusionauth/fusionauth-app/lib/smtp-2.0.2.jar!/META-INF/javamail.providers
DEBUG: Tables of loaded providers
DEBUG: Providers Listed By Class Name: {org.eclipse.angus.mail.smtp.SMTPTransport=jakarta.mail.Provider[TRANSPORT,smtp,org.eclipse.angus.mail.smtp.SMTPTransport,Oracle], org.eclipse.angus.mail.smtp.SMTPSSLTransport=jakarta.mail.Provider[TRANSPORT,smtps,org.eclipse.angus.mail.smtp.SMTPSSLTransport,Oracle]}
DEBUG: Providers Listed By Protocol: {smtp=jakarta.mail.Provider[TRANSPORT,smtp,org.eclipse.angus.mail.smtp.SMTPTransport,Oracle], smtps=jakarta.mail.Provider[TRANSPORT,smtps,org.eclipse.angus.mail.smtp.SMTPSSLTransport,Oracle]}
DEBUG: successfully loaded resource: /META-INF/javamail.default.address.map
DEBUG: URL jar:file:/usr/local/fusionauth/fusionauth-app/lib/smtp-2.0.2.jar!/META-INF/javamail.address.map
DEBUG: successfully loaded resource: jar:file:/usr/local/fusionauth/fusionauth-app/lib/smtp-2.0.2.jar!/META-INF/javamail.address.map
DEBUG: setDebug: Jakarta Mail version 2.1.2

SWAKS succeeds:
=== Trying smtp.paubox.com:587...
=== Connected to smtp.paubox.com.
<- 220 welcome to paubox smtp
-> EHLO ip----.ec2.internal
<- 250-paubox smtp at your service
<- 250-8BITMIME
<- 250-SMTPUTF8
<- 250-PIPELINING
<- 250-AUTH LOGIN PLAIN
<- 250-STARTTLS
<- 250 OK
-> STARTTLS
<- 220 Ready to start TLS
=== TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/CN=paubox.com"
~> EHLO ip----.ec2.internal
<~ 250-paubox smtp at your service
<~ 250-8BITMIME
<~ 250-SMTPUTF8
<~ 250-PIPELINING
<~ 250-AUTH LOGIN PLAIN
<~ 250 OK
~> AUTH LOGIN
<~ 334 ************
~> ********
<~ 334 ************
~> ********************************************************
<~ 235 OK
~> MAIL FROM:<@.com>
<~ 250 OK
~> RCPT TO:<.@.com>
<~ 250 OK
~> DATA
<~ 354 Enter message, ending with "." on a line by itself
~> Date: Wed, 24 Jul 2024 22:29:19 +0000
~> To: .@.com
~> From: @.com
~> Subject: test Wed, 24 Jul 2024 22:29:19 +0000
~> Message-Id: <******.@ip----**.ec2.internal>
~> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
~>
~> Please disregard!
~>
~>
~> .
<~ 250 Requested mail action okay, completed
~> QUIT
<~ 221 Service closing transmission channel
=== Connection closed with remote host.

Resolved by setting timeouts in Edit Tenant -> Advanced -> SMTP Settings:
mail.smtp.timeout=30000
mail.smtp.connectiontimeout=10000

These timeouts were made accessible to SMTP settings in 1.44.0. They default to "no timeout" in JavaMail, and there is no documentation of any other default in FusionAuth.

Q&A

•

T Reindex Button Missing in FusionAuth 1.51.2

Hello,

I recently updated my FusionAuth instance from version 1.47.1 to 1.51.2. Since the update, I noticed that the "Reindex" button in the "System" section is no longer visible. This button was crucial for our maintenance tasks, and I'm not sure why it has disappeared.

Has anyone else experienced this issue? Is there a new way to perform reindexing in version 1.51.2, or is this feature moved to a different section?

Any assistance or guidance would be greatly appreciated.

Thank you!

Q&A

•

A fusionauth SSO alway force to login on same browser session

Hi All,
I just start using fusionauth for last 3 months. I'm using docker to install the fusionauth. on the first month, it just work properly including the SSO, but suddenly on this month, the SSO did'n work, the user always force to re login event they already login on the same browser and same session.
I alread set the session timout like screenshoot below

is there any missing configuration or something that make the user always to force re login even they already login previously?

Q&A

•

Search