18

I'm working on a SAML SSO integration for our app using Google / G Suite. Our customers configure our SAML app in their company's G Suite admin settings. The integration works correctly in most cases:

  • Suppose you're not signed into a Google account yet. You initiate the SSO process. You're prompted to sign into your company Google account, and SSO works correctly.

google account prompt when not signed in yet

  • Suppose you're already signed into your company Google account and your personal Google account. You initiate the SSO process. You see an account chooser. If you choose your company Google account, SSO works correctly. account chooser prompt when signed into multiple accounts

However, SSO fails in this case:

  • Suppose you are only signed into your personal Google account. Google does not display the account chooser. Instead, you immediately get a a 403 error: "Error: app_not_configured_for_user."

403 error if only signed into wrong account

This has led to a very confusing experience for our users. It's pretty common that you're currently only signed into one google account that's not your company google account. Furthermore, the error page is opaque -- it's not clear to a user what they did wrong.

Is there any way to always show the account chooser? For example, are there any parameters we can add to the /o/saml2/idp url or the SAML AuthnRequest? (E.g. we tried setting ForceAuthn and adding a <saml:Subject> block in the AuthnRequest, but it seems Google's SAML does not support either.)

Or is there a way for our app to get a callback on error, so we can show a more meaningful error message?

(I contacted G Suite support, and they said to ask our question on Stack Overflow instead. Appreciate your help here!)

Sohan Jain
  • 2,318
  • 1
  • 16
  • 17
  • Hi Sohan, did you find a workaround for this issue? I am currently having the same issue. – NPhillips Nov 07 '19 at 11:24
  • @NPhillips unfortunately we did not find a workaround. We did not hear back from G Suite Support either. Please let me know if you find a solution here as well! – Sohan Jain Nov 08 '19 at 22:03
  • Same problem, still no solution – julian-alarcon May 04 '20 at 21:23
  • This only happens when you are logged in to your personal account only... If you have a google's multi-user mode and are already logged in two all accounts, it's not an issue... the option below works best. It's not strictly standards compliant... – Ray Foss Oct 07 '21 at 20:56
  • Duplicate of https://stackoverflow.com/questions/42337974/google-g-suite-saml-sso-domain-login-page – identigral Feb 09 '22 at 21:56
  • I am facing the same issue (Only one account it signed in others signout out including IDP domain) We have keycloak as service provider and using google IDP (saml2 app). Would like to know solution or work around to forcefully enable Acount Chooser using keycloak config ? – Aslam Sayyed Jun 29 '22 at 17:04

4 Answers4

4

Instead of redirecting to directly from your app to the Google IDP, you need to redirect to https://accounts.google.com/accountchooser?continue={theredirectURL}

See Google SAML app_not_configured_for_user / equivalent of prompt=select_account SAML

tripper54
  • 346
  • 2
  • 6
  • Doing that gives me `null. That’s an error., Error parsing the request, No SAML message present in request That’s all we know.` My url looks like this https://accounts.google.com/accountchooser?continue=https://accounts.google.com/o/saml2/idp?idpid=xxxx` – papanito Nov 26 '22 at 12:07
0

if you using a passport-saml There is a fork that fixes this behavior.
Set in configuration googleAuth: true and then during authorization there will be a redirect to the google account selection page

Dima Panov
  • 11
-1

I had this same issue. When I then added the G suite account to my Android device under Settings > Accounts and retried the login flow, I was properly prompted with the Account Chooser. Not the solution I was really looking for, but it did change the outcome.

esilac
  • 789
  • 7
  • 16
-3

I had the exact same problem when working with Keeper Password Manager. I solved it by erasing everything from ~/Library/Application Support/Keeper Password Manager/Cookies

I suggest you look for a similar folder in your app and do the same

fran
  • 326
  • 3
  • 15
  • Thanks for the reply. If you delete your cookies, then you also sign yourself out of all google accounts. This issue in this post only happens when a user is signed into multiple accounts. Ideally there's a server-side solution that google provides that solves the problem for all our customers. Telling our customers to delete their cookies or to sign out of all of their accounts is not the most user-friendly experience unfortunately – Sohan Jain Dec 14 '19 at 03:45