phpsaml icon indicating copy to clipboard operation
phpsaml copied to clipboard

Published 20 hours ago verified publisher icon derricksmith

Google Workspaces - SAML App Issues

Open jsonpj3wt opened this issue 10 months ago • 2 comments

I am seeing the Error: app_not_configured_for_user. What does work is testing from Google Workspaces to GLPI using the plugin (works perfectly).

The SAML Response is as follows:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="ONELOGIN_784e09d4384f7f5f546473f2c1b919b58da6b186"
                    Version="2.0"
                    IssueInstant="2024-04-16T21:54:10Z"
                    Destination="https://accounts.google.com/o/saml2/idp?idpid=<id>"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    AssertionConsumerServiceURL="https://my.domain.com/plugins/phpsaml/front/acs.php">
  <saml:Issuer>https://my.domain.com/</saml:Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                      AllowCreate="true" />

</samlp:AuthnRequest>

One caveat to this, I am using a load balancer for the domain, which uses port 80 (HTTP) to communicate between the load balancer and GLPI. I did modify setup.php to always use https over HTTP as an attempt to see if the relayState (now https://my.domain.com/index.php?SSO=1) was the cause, but that did not fix the issue. Again, it works fine from Google to GLPI, including JIT Assertion. I want to say it is a configuration on the Google Workspaces side:

SSO configuration on Google ACS URL: https://my.domain.com/plugins/phpsaml/front/acs.php - which does seem to work right from testing the SAML login from google. Entity Id: https://my.domain.com Name ID format: EMAIL Name ID: Basic Information > Primary Email

Additional Info

GLPI 10.0.14 ( => /var/www/html/glpi) Installation mode: TARBALL Current language:en_US phpsaml - Name: PHP SAML - Version: 1.2.1 - State: Enabled - Install Method: Manual

PHP SAML Configuration

  • Strict: No
  • JIT Provisioning: Yes
  • Debug: Yes
  • Identity Provider Entity Id: https://accounts.google.com/o/saml2?idpid=<id>
  • Identity Provider Single Sign On Service URL: https://accounts.google.com/o/saml2/idp?idpid=<id>
  • Identity Provider Public X509 Certificate: ----BEGIN CERTIFICATE---- <cert> -----END CERTIFICATE-----
  • Requested Authn Context: X509
  • Requested Authn Comparison: Minimum

jsonpj3wt avatar Apr 17 '24 02:04 jsonpj3wt