jitbit/AspNetSaml

G suite Problem

hagaygo opened this issue · 3 comments

hagaygo commented

Hi,

I managed to get SSO working with my company G suite domain.

Our app gets the email just fine as stated.

The problem is when the browser has other domain gmail user session.

When the browser has already signed "regular" gmail account (aka @gmail.com) when redirecting to the generated redirect url we get :

image

which is "half bad" , but when the browser has other active g suite session we get :

image

Only way fixing it is to goto to other gmail/google page on client browser and sign out the account, but of course we can't expect a user to do that or to know that he needs to do that.

When no account is signed in we get a good selection dialog from google :

image

1.Is this a common problem or i am missing something ?
2.Any way to generate a redirect url that the user will always see the account selection dialog if relevant.
3.Any other way to handle this issue ?

Thanks in advance.

alex-jitbit commented

Here's a tutorial on how to configure an app for Google SAML. The tutorial is for our app - Jitbit Helpdesk - but you should be able to extrapolate the knowledge: https://www.jitbit.com/hosted-helpdesk/saml-google/

Seems like the problem is on the GSuite side

hagaygo commented

Thanks for your answer.

Just to be clear , everything is working fine as long the browser doesn't have other active GSuite/gmail sessions.

To Elaborate :

I successfully setup SAML SSO login using this code with setting similar to the link you have provided.
Lets say the domain is mydomain.net.

When using a "new" browser with no active session , my web site generate a redirect url using the code and the browser is redirected to a google sign in page.
after successful authentication google posts to my saml consume url and my code verify the post and gets the authenticated user email (in my case).

Same procedure exactly , just i am starting with a browser who has a active session to my private gmail account.
The generated redirect url shows above 403 error.

Other problematic scenario is with a browser which has active gsuite session from other domain like otherdomain.net
In that case i get the error 500 message.

From your answer i am not sure if you have the same problem or not.

Can you try it with your app ? having an active gmail session on your browser while going to the redirect page.

If it works on your setup can you provide a screenshot of that case (you can have course blur the "private" areas) , i would expect to get a page from google which allows me to choose which account to use while both of them "signed in".

Thanks in advance.