fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Support overriding SAML ACS, audience, destination, recipient

Open benkloester opened this issue 3 months ago • 0 comments

Support overriding SAML default ACS, audience, destination, recipient (FusionAuth as service provider)

Problem

There are cases where we wish to have a reverse proxy between a SAML IdP and FusionAuth as service provider. Common examples of this are cloud access security brokers (CASB) such as Netskope, but reverse proxying may also be useful for transparent migration between service providers.

In such cases, the SAML assertions forwarded by the proxy will not necessarily align with the default values FusionAuth uses for certain service provider SAML attributes. In particular, some or all of the following may not match, resulting in SAML authentication not being possible:

  • Assertion Consumer Service URL (ACS)
  • Audience
  • Destination
  • Recipient

In order to be able to support such a proxy configuration, we need to be able to set/override these values.

Currently FusionAuth supports this for ACS (via IdP Initiated Callback URL/Callback URL attribute) and Destination (via Alternate destinations attribute), but not for Audience or Recipient.

We need a means to override the Audience (and Recipient) value expected by the service provider in order for reverse proxies / CASBs to work with FusionAuth.

Other Authentication solution such as Okta seem to support this.

Solution

  • Add a field to the SAML IdP configuration page and API that allows setting the Audience attribute.
  • Add a field to the SAML IdP configuration page and API that allows setting the Recipient attribute.

Alternatives/workarounds

Maybe have the proxy use the IdP's certificate to decrypt the SAML assertion, modify the SAML audience field, and re-sign with a different certificate corresponding to a SAML IdP set up in FusionAuth? Essentially MitM the SAML requests.

Additional context

Overrides seem to be supported in quite a few other products or libraries.

  • https://docs.pega.com/bundle/platform/page/platform/security/override-service-provider-settings-for-SAML-SSO-authentication-service.html
  • https://learn.microsoft.com/en-us/answers/questions/2244099/how-to-override-sustainsys-saml2-acs-url-to-api-sa
  • https://docs.pingidentity.com/pingfederate/12.3/administrators_reference_guide/help_spprotocolsettingstasklet_assertionconsumerservicestate.html
  • https://community.pega.com/sites/pdn.pega.com/files/help_v81/procomhelpmain.htm#data-/data-admin-/data-admin-authservice/saml-overriding-the-service-provider-settings-tsk.htm

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

benkloester avatar Oct 16 '25 06:10 benkloester