FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    How to make a saml request with php / fusionauth?

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    2
    570
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      ken
      last edited by

      Hi we have our own login page (not fusionauth hosted) with a button "Login with SAML". Once the user clicks this page we do this https://fusionauth.io/docs/v1/tech/apis/identity-providers/samlv2#start-a-saml-v2-login-request which returns a code.

      The next step in the docs say to do this: https://fusionauth.io/docs/v1/tech/apis/identity-providers/samlv2#complete-a-saml-v2-login but is there a step missing before this? Don't we have to redirect the user to the idp's login page and pass the saml request with the returned code? How do we make this request? This step isn't documented. Is there a fusionauth function or api endpoint that we call that does this redirection and saml request creation for us?

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @ken
        last edited by

        Hiya,

        Yes, you complete a login after the user has logged in at the SAML provider. That's implied, but maybe we should make it a bit clearer.

        From https://fusionauth.io/docs/v1/tech/apis/identity-providers/samlv2#complete-a-saml-v2-login

        This API allows you to complete a SAML v2 login after the user has authenticated with a SAML v2 identity provider. If you are using the FusionAuth login UI with the SAML v2 button you will not utilize this API directly.

        The idea is:

        1. you call start SAML login (the FusionAuth API)
        2. you direct the user to the IDP
        3. you get the SAML response
        4. you pass the SAML response to the complete API call (again, FusionAuth API)

        Why not just integrate SAML directly into your application? It's an instance of the identity broker pattern, and having FusionAuth in the middle can allow for a standard interface across SAML and other remote IdP providers.

        How you handle steps 2 and 3 is not documented for two reasons.

        • It might vary widely, depending on the SAML IdP and your configuration.
        • It is expected that as someone who is using the start/complete API and not the FusionAuth hosted login pages, you are familiar enough with SAML to take care of them.

        Hope this helps!

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post