Skip to content
Classic documentation
  • There are no suggestions because the search field is empty.

On Premise SSO Configuration

This guide details how to configure Single Sign-On (SSO) and user provisioning within FusionAuth. It walks through setting up a centralized Identity Provider to enable seamless SSO across applications, integrating it with the Synapse Database, and activating user provisioning so that roles are assigned and revoked automatically based on user authentication.

User Provisioning

Prerequisites

  • Access to FusionAuth with appropriate permissions.

  • Identity Provider configured and working.

Configuring User Provisioning

  1. Access user provisioning settings:

    Navigate to the settings tab of the customer.

  2. Configure provisioning connector keys:

    Ensure all provisioning connector keys are configured properly.

  3. Enable user provisioning:

    Activate user provisioning by toggling the switch.

  4. Automatic role assignment:

    Once enabled, user provisioning will automatically assign and remove roles to users.

be89ed56-e8c3-4864-8d13-4615e3617921

Configuring Identity Provider

  1. Access identity provider settings:

    Go to Settings -> Identity Provider.

  2. Edit identity provider:

    Locate and edit the configured Identity Provider.

  3. Add scope for roles:

    Ensure a scope is added to retrieve roles from the Identity Provider.

    Examples of scopes include Roles, Groups, UserManagedRoles, or a custom key defined for the Identity Provider.

Configuring Webhook in FusionAuth

  1. Access webhook settings:

    Navigate to Settings -> Webhooks.

  2. Edit webhook:

    Select and edit the configured webhook.

  3. Configure events:

    Enable the events user.create.complete and user.login.success.

    Save the webhook settings.

 4ebfdc34-edaf-462d-ad30-6c57735edc0b

 

Configuring Tenant in FusionAuth

  1. Access tenant settings:

    Go to Tenant in FusionAuth.

  2. Edit tenant:

    Edit the corresponding Tenant (e.g., Betty Blocks).

  3. Configure webhooks:

    Navigate to the Webhooks tab.

    Ensure that the checkboxes for user.create.complete and user.login.success are checked.

 

Configuring Lambda in FusionAuth

  1. Access Lambda settings:

    Go to Customizations -> Lambdas.

  2. Edit Lambda:

    Locate and edit the lambda configured in the Identity Provider (likely named Betty OpenID reconcile lambda).

  3. Debugging Lambda:

    Enable debug mode on the lambda.

    Log in as a user to generate logs.

  4. View logs:

    Access System -> Event Log to view the logs of the logged-in user.

    Lambda logs

  5. Troubleshooting

    If roles are not visible, add additional debug lines to the lambda function.

  6. Assign roles:

    If roles are found, add the following lines to the lambda function, replacing role_key with the appropriate key:

    if (jwt.role_key) {
      user.data.roles = jwt.role_key;
    } else {
      user.data.roles = [];
    }

  7. Save and test:

    Save the lambda and test logging in again.

    If user provisioning is enabled, roles should now be automatically assigned based on the configured keys.


    747e8959-0562-4134-9f1a-394b00d81fe3

Conclusion

Following these steps ensures that user provisioning is properly configured in FusionAuth, allowing for seamless role assignment and removal based on user login credentials.

FusionAuth Identity Provider

Prerequisites

  • Access to FusionAuth and Synapse with appropriate permissions.

FusionAuth Configuration

  1. Access FusionAuth Settings: Navigate to Settings -> Identity Providers.

  2. Create identity provider:

    Click the button on the Top Right and select OpenID or SAML v2, based on your requirements (in this guide, we use OpenID).

    Fill in the required fields.

    At "Reconcile Lambda," choose the appropriate reconciliation lambda function (e.g., Betty OpenID reconcile lambda).

    Save the Identity Provider. Note down the Identity Provider ID for later configuration.

  3. Configure callback URL:

    Ensure that the redirect/callback URL is set to <http://<domain>>/oauth2/callback.

    This URL can be found in the pop-up when clicking on the view icon.

fusionAuth Configuration
 

 

Synapse Database Configuration

Mandatory Configuration

  1. Update customer_identity_providers table:

    In the customer_identity_providers table, add a new record with the following details:

    • customer_id: Found in the customer's table.

    • description: A description of the Identity Provider.

    • active: Set to 1.

    • type: designtime

    • fusionauth_idp_uuid: Set to the ID of the Identity Provider created in FusionAuth.

    • inserted_at and updated_at: Set to the current timestamp.

      updateCustomer
  2. Note ID: Note down the ID of the new record created.

Non-Mandatory configuration

  1. Update customer_domains table:

    In the customer_domains table, add the email domain used for automatic redirection during login.

  2. Update customer_domain_identity_providers table:

    Connect the Identity Provider to the domain in the customer_domain_identity_providers table.

b0a59498-f460-479c-8bdb-8408a56a6adb
 

Sync identity provider

  1. Access control panel: Visit the control panel URL

    (e.g., <https://synapse.<domain>>/control-panel).

  2. Navigate to Customers:

    Go to Customers -> Index.

  3. Select Customer:

    Choose the appropriate customer.

  4. Verify configuration:

    Ensure that the Identity Provider is configured correctly.

    verifyConfig

  5. Go to identity provider

    Click on the DesignTime Identity provider

  6. Sync SSO to FusionAuth:

    Press the "Sync SSO to FusionAuth" button to synchronize the Identity Provider.

SyncSSO

Conclusion

Once the synchronization is complete, new apps should immediately work with Single Sign-On using the configured Identity Provider.