问题
I'm using Gsuite as an Saml IDP to authentify users of my organisation on internal apps.
Everything is working fine, except for one point: when one of my users if logged in with his/her personal account only, Google will fail with:
403 Error: app_not_configured_for_user
This makes sense as the app is intended to be used by internal users only, but I would like to be able to force Google saml authentication to display the account selector even if the user is already logged in to one account as this is possible for oauth2 with prompt=select_account.
Any way to have the same behavior with SAML ?
[EDIT] I actually managed to achieve what I want by using
https://accounts.google.com/AccountChooser/?continue=$SAML_REQUEST$
[EDIT 2] Here is the code snippet for the adaptation in ruby on rails (using ruby-saml)
config/initializers/saml_override.rb
module OneLogin
module RubySaml
class Authrequest < SamlMessage
GOOGLE_ACCOUNT_CHOOSER_URL = "https://accounts.google.com/AccountChooser?continue="
alias_method :old_create, :create
def create(settings, params = {})
self.old_create(settings, params)
@login_url = GOOGLE_ACCOUNT_CHOOSER_URL + CGI.escape(@login_url)
end
end
end
end
来源:https://stackoverflow.com/questions/48806629/google-saml-app-not-configured-for-user-equivalent-of-prompt-select-account-sa