user_saml icon indicating copy to clipboard operation
user_saml copied to clipboard
verified publisher icon nextcloud

SSO configuration with Google SAML with Google as IdP fails with "app_not_configured_for_user"

Open wilson-matrixc opened this issue 4 years ago • 3 comments

Steps to reproduce

  1. Install the SSO & SAML authentication (v4.11) App in NextCloud 22.2.0

  2. Create a Custom SAML Application in Google Workspace with the name Nextcloud:

Enabled for All users in Google Organization ACS URL: https://example.nextcloud.domain/index.php/apps/user_saml/saml/acs Entity ID: https://example.nextcloud.domain/index.php/apps/user_saml/saml/metadata Start URL: Empty Signed Response: Unticked Certificate: Generated by Google (just copy out the cert data) Name ID Format: EMAIL Name ID: Basic Information > Primary Email SAML Attribute Mapping: Basic Information > Primary Email = mail

  1. Configure SSO & SAML Authentication in Next Cloud:

Only allow authentication if an account exists on some other backend. (e.g. LDAP): Unticked Use SAML auth for the nextUC secure share desktop clients (requires user re-authentication): Ticked Allow the use of multiple user back-ends (e.g. LDAP): Ticked Attribute to Map the UID: mail Optional Name: Specified Identifier of IDP: https://accounts.google.com/o/saml2?idpid=CustomerID URL Target of the IDP: https://accounts.google.com/o/saml2/idp?idpid=CustomerID No Attribute Mappings No Security Settings ticked

Expected behaviour

When a user logs in via the SSO button, they are able to login to their Google Account, finish the process and be handed back to NextCloud via any configured Start URL.

Actual behaviour

Users are directed to Google to Login and, after finishing the 2SV process, they receive an error from Google with the error:

403: app_not_configured_for_user

According to Google Documentation, it can be one of two things:

  1. The SAML app is not enabled for all users in the Google Workspace admin console.
  2. The SSO & SAML Authentication plugin is returning the wrong Entity ID resulting in Google returning the error.

We've verified that we've assigned the permissions for SAML to all Google users and that shouldn't be the problem. How do we troubleshoot what the SSO plugin is returning to Google?

wilson-matrixc avatar Oct 26 '21 07:10 wilson-matrixc

yo! this problem is also occurring to us, did anyone manage to understand what is going on?

cheers Cris

ctrombet avatar Apr 25 '22 13:04 ctrombet

any update?

bgdsh avatar Jun 23 '22 06:06 bgdsh

For us this is solved. The issue was that Google took between 24h and 48h to propagate its changes. Try waiting and see if the problem persist. If the configuration is correct it should work. For a reference on configuration the best we could find was this japanese website that we manage to follow even if we don't know japanese! Lot of screenshots so please have a look here:

https://mseeeen.msen.jp/nextcloud-saml-sso-with-google/

Hope someone find this useful Cheers Cris

ctrombet avatar Jun 23 '22 09:06 ctrombet