@atabakov Can you please share the settings for the application in that Admin UI? Please do not include any secrets.

As of 1.59.0 this is possible but it is slightly unintuitive how to do it. It’s entirely driven by the form being used. Here's how to do it:

create a new user admin form: https://fusionauth.io/docs/lifecycle/manage-users/admin-forms make sure you omit the 'password' field from the form assign the form to your tenant create a new user

You can also create a user directly via the API with no password.

I have this same issue with 1.59.1
Windows Server 2016 core (no GUI)

FusionAuth works find from cmd line, but stops when I sign out of windows.
FusionAuth wont install as a service/register event log items (it hangs during event log registration: never completes and no error reported).

[HOST1]C:\fusionauth\fusionauth-app\bin>FusionAuthApp.exe /install
[HOST1]C:\fusionauth\fusionauth-app\bin>
Installing service FusionAuthApp...
Service FusionAuthApp has been successfully installed.
Creating EventLog source FusionAuthApp in log Application...
[HOST1]C:\fusionauth\fusionauth-app\bin>powershell
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\fusionauth\fusionauth-app\bin> .\FusionAuthApp.exe /install
PS C:\fusionauth\fusionauth-app\bin> ^C
PS C:\fusionauth\fusionauth-app\bin> cd..
PS C:\fusionauth\fusionauth-app> cd ..
PS C:\fusionauth> cd ..
PS C:> \fusionauth\fusionauth-app\bin\FusionAuthApp.exe /install
PS C:> ^C
PS C:> EventLog source FusionAuthApp.in log Application...
PS C:> FusionAuthApp is being removed from the system...
PS C:> FusionAuthApp was successfully removed from the system.
PS C:> ng service FusionAuthApp...
PS C:> FusionAuthApp has been successfully installed.
PS C:> EventLog source FusionAuthApp in log Application...
PS C:>
PS C:>
PS C:>
PS C:>
PS C:> \fusionauth\fusionauth-app\bin\FusionAuthApp.exe /install
PS C:>
Removing EventLog source FusionAuthApp.
Service FusionAuthApp is being removed from the system...
Service FusionAuthApp was successfully removed from the system.
Installing service FusionAuthApp...
Service FusionAuthApp has been successfully installed.
Creating EventLog source FusionAuthApp in log Application...

Yes, I believe so.

It appears that connecting MitID to an application (also called an SP) requires utilizing an approved broker. A broker is essentially an OIDC connector.

Here is a list of official brokers: https://www.mitid.dk/en-gb/broker/current-brokers/.

We haven’t tested this, but based on reviewing Signicat’s OIDC documentation, the process seems fairly straightforward. They are one of the MitID brokers.

@francis-ducharme-0 You may have to parse the json returned from the get and modify a few things. Does the application get created but not work or does the application not get created? I would think you would need to take the relevant parts from the returned application then create the application under a new tenant? Remember you will have to use the new TenantId in the Request Header. If you are not supplying the TenantId, it will use the default.

On a side note: If you are still interested in a duplicate application across tenant feature in the API, you might want to put a request in.

@sergey_smirnov, it is awesome that you are able to follow and create steps to replicate the issue. To be 100% I'm not sure if this is a bug or a feature request. If FusionAuth is not behaving as you would like it, I would suggest opening an issue on Github. Be sure to include the details and repeatable steps.

Thanks for your answer. I got it.

You’ll need to disable or mock CAPTCHA in a test environment and adjust rate-limit settings in FusionAuth’s config or use test API keys to avoid hitting production limits during automated runs.

@mark-robustelli Thanks for your reply, Mark. If I manage to make it, I’d love to show you how I made it and what it looks like.

@lambert-torres You can get support for FusionAuth. Please see the pricing page if you are interested. I'm not sure if this is your exact situation, but you might want to look at this blog post as well.

@witard91335 Interesting, how do you see the flow working? What kind of tags are you trying to track though FusionAuth?

Hi @mark-robustelli, thanks for your reply. I need an API that logs out a user, but apparently that’s not possible. Is there any way or approach to log someone out.

Good question. I believe this is due to how we implemented our PATCH calls. If you are making a straight API call, you can change the Content-Type header to application/merge-patch+json which will instead overwrite the existing array with whatever you have provided. That's the most straightforward way to replace array values. There are other methods detailed in the doc below but those involve removing values one by one instead of just overwriting them. The downside here is that I don't believe Client Libraries usually support the merge-patch header.

https://fusionauth.io/docs/apis/#the-patch-http-method

If you believe that you have discovered a bug or issue with FusionAuth, please log an issue below.

https://github.com/FusionAuth/fusionauth-issues/issues/new/choose

To note, you will likely want to be listening to the registration.update webhook for changes to the registration object prompted by additional fields the user needs to have completed based on what is a required field for self service registration.

In the case of a user entering all these fields "manually" (as part of a registration form) we will create the user and the registration at the same time (thus transmitting all information, including all required registration fields, as part of the user.create and registration.create events).

However, in the case of a social login, the user and registration will be created after the IdP provider returns information via the user.create and registration.create events. Additional registration will be asked of the user as part of the complete registration process (if there are additional required fields) and that additional information will be transmitted as part of the registration.update event.

https://fusionauth.io/docs/extend/events-and-webhooks/events/user-registration-update

The transient policy is not something FusionAuth will support for the SAML NameID policy. From the SAML standards doc, a transient NameID is supposed to be a temporary value which is not a good basis to build a link between two identity systems on. That is the main reason FusionAuth does not support this policy as it would likely lead to issues later down the line with the Identity Provider. Apologies for the inconvenience but having the User ID/UUID shift or change would cause problems as FA relies on a consistent User ID/UUID(NameID) to make a SAML link work.

http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

Currently, there is not a way to turn it off. Our air gapped license is still going to try to make that call out to us, but that won't cause any issues. The difference being that a normal license would have issues if it could not "phone home" back to us whereas the air gapped license won't have issues but it will still try to make those calls.

If you want to change the font on the hosted login page and the login experience users are offered through FusionAuth, then this can be changed via our Themes. Very likely you will want to update the CSS associated with the theme you are using for the FusionAuth Application/Tenant. Changes to the theme can be completed through this API: https://fusionauth.io/docs/apis/themes/advanced-themes.

Alternatively, you can use the Admin UI to make changes to your CSS as well.

Yes with a Basic Cloud you get one custom domain and no backups, you would just need to update your DNS records to include our CNAMEs for this custom domain. You would submit your custom domain via the Hosting tab of the account.fusionauth.io under the Action Drop down. Then you will be shown the CNAME record for that domain and you will have to update your DNS records to include this CNAME. You can see an example of this at the doc below.

https://fusionauth.io/docs/get-started/run-in-the-cloud/cloud#custom-domains

You would not be able to use your own SSL certificates. We would handle all those in FusionAuth Cloud. We create the certificates on our end and you just need to create DNS records to validate the domain with the CNAME records.

There are a few ways you can get what you need. You can either make these changes via the API and then they will be updated in the UI.

https://fusionauth.io/docs/get-started/core-concepts/users#user-data

https://fusionauth.io/docs/apis/users#update-a-user

Or you can do this using custom admin forms:

https://fusionauth.io/docs/lifecycle/manage-users/admin-forms

The license ID is just the license key itself. You can grab your license here https://account.fusionauth.io/account/plan/. Each license will have a prod key and non-prod key, for testing you just need to grab the non-prod key and use that for your license ID in Kickstart.

https://fusionauth.io/docs/get-started/download-and-install/development/kickstart#set-your-license-id