Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Google SAML SSO - 403 app_not_configured_for_user error when signed into personal Google account

Tags:

google-api

single-sign-on

saml

saml-2.0

google-sso

I'm working on a SAML SSO integration for our app using Google / G Suite. Our customers configure our SAML app in their company's G Suite admin settings. The integration works correctly in most cases:

  • Suppose you're not signed into a Google account yet. You initiate the SSO process. You're prompted to sign into your company Google account, and SSO works correctly.

google account prompt when not signed in yet

  • Suppose you're already signed into your company Google account and your personal Google account. You initiate the SSO process. You see an account chooser. If you choose your company Google account, SSO works correctly. account chooser prompt when signed into multiple accounts

However, SSO fails in this case:

  • Suppose you are only signed into your personal Google account. Google does not display the account chooser. Instead, you immediately get a a 403 error: "Error: app_not_configured_for_user."

403 error if only signed into wrong account

This has led to a very confusing experience for our users. It's pretty common that you're currently only signed into one google account that's not your company google account. Furthermore, the error page is opaque -- it's not clear to a user what they did wrong.

Is there any way to always show the account chooser? For example, are there any parameters we can add to the /o/saml2/idp url or the SAML AuthnRequest? (E.g. we tried setting ForceAuthn and adding a <saml:Subject> block in the AuthnRequest, but it seems Google's SAML does not support either.)

Or is there a way for our app to get a callback on error, so we can show a more meaningful error message?

(I contacted G Suite support, and they said to ask our question on Stack Overflow instead. Appreciate your help here!)

like image 669
Sohan Jain Avatar asked Oct 03 '19 17:10

Sohan Jain

People also ask

How do I fix authentication failed on SAML?

Reconfigure IdP details in Service Provider and try again. Unable to process the Status Code received. There may be multiple reasons for this issue- Authentication failure in IdP or Time mismatch between IdP Server and SP Server. Mostly, Reconfigure the IdP and SP details in both IdP and SP should solve the issue.

What does error App_not_configured_for_user mean?

This error occurs when attempting to log into signin.blackbaud.com using a BBID enabled Google account while another Google account is already signed in in the browser. To resolve the issue, sign out of Google in the browser to ensure no Google accounts are active.

Does Google use SAML for SSO?

When you use SSO for Cloud Identity or Google Workspace, your external IdP is the SAML IdP and Google is the SAML service provider. Google implements SAML 2.0 HTTP POST binding. This binding specifies how authentication information is exchanged between the SAML IdP and SAML service provider.

What does unable to process SAML mean?

This error means that the Service Provider (SP) wasn't able to decrypt the assertion created by the Identity Provider (IdP), which causes the authentication process to fail.

1 Answers

Instead of redirecting to directly from your app to the Google IDP, you need to redirect to https://accounts.google.com/accountchooser?continue={theredirectURL}

See Google SAML app_not_configured_for_user / equivalent of prompt=select_account SAML

like image 165
tripper54 Avatar answered Oct 25 '22 16:10

tripper54
Sign in to Comment

Related questions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!