Google IdP showing error 403 if logged in through personal gmail, instead of showing a choose accounts or login page

[samrudh...@percussion.com]

What are you trying to do?

I have setup SimpleSAMLphp as SP and Google as my IdP. I want only our group having Google IDs for work to access my website. Logging is working fine if I enter my work credentials, which is expected, but if I try logging through my personal gmail account Google shows me a error 403 page instead of showing a Choose Accounts or a login page. Has anybody experienced such problem? Is there a work around to show a friendly error page instead of a google error page?

[Patrick Radtke]

Google as my IdP

Does that mean you setup a G-Suite SAML IdP? Or are you using Google's OIDC?

[Samrudhdi Gadre]

Yes, have setup G-Suite SAML IdP following this - https://support.google.com/a/answer/6087519?hl=en

Facing issue only when I use google credentials that are not part of our G-Suite account for eg. personal gmail id, is there a way to handle this 403 error with SimpleSAMLphp ?

Any help is greatly appreciated ...Thanks

On Tue, Jan 30, 2018 at 5:05 PM, Patrick Radtke <pra...@gmail.com> wrote:

Google as my IdP

Does that mean you setup a G-Suite SAML IdP? Or are you using Google's OIDC?

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/NvN7Cr7STwk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlphp+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jaime Perez Crespo]

Hi,

On 31 Jan 2018, at 13:50 PM, Samrudhdi Gadre <samrudh...@percussion.com> wrote:
> Yes, have setup G-Suite SAML IdP following this - https://support.google.com/a/answer/6087519?hl=en
> Facing issue only when I use google credentials that are not part of our G-Suite account for eg. personal gmail id, is there a way to handle this 403 error with SimpleSAMLphp ?

> Any help is greatly appreciated …Thanks

“Who” is showing the 403 error? Google or SimpleSAMLphp? (as in, what’s the URL in your browser when you see the 403 error?)

—
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Samrudhdi Gadre]

Its the Google URL - https://accounts.google.com/o/saml2/idp?from_login=1&zt=ChRMSm1qYjJReGhBeUNOdzB0X2o1SBIfQTh6V3RJVWZtTDhha0dXNXp4TGtfNjBjNTJqRkZCWQ%E2%88%99ACThZt4AAAAAWnMRpKUkCSAPVVXtnWinbdrmCkwyhWrM&as=4_h29vI2pxbK4cAsNB_-cETjSii7DuzeSJGf5cyS3C6EycZwfA_27rQbQqaOgCyCjV9jS0iAhzyC_sZEdz4LUR8i2tk0D7hw4kuPcyuYm7it6ZpScTQttEXStAwsOoU7hEdNM50yDX8guDwUSRwjujIRKFtVSLGv74_xhlOfCV8&pli=1&authuser=0

On Wed, Jan 31, 2018 at 7:59 AM, Jaime Perez Crespo <jaime...@uninett.no> wrote:

Hi,

[Jaime Perez Crespo]

On 31 Jan 2018, at 14:11 PM, Samrudhdi Gadre <samrudh...@percussion.com> wrote:
> Its the Google URL - https://accounts.google.com/o/saml2/idp?from_login=1&zt=ChRMSm1qYjJReGhBeUNOdzB0X2o1SBIfQTh6V3RJVWZtTDhha0dXNXp4TGtfNjBjNTJqRkZCWQ%E2%88%99ACThZt4AAAAAWnMRpKUkCSAPVVXtnWinbdrmCkwyhWrM&as=4_h29vI2pxbK4cAsNB_-cETjSii7DuzeSJGf5cyS3C6EycZwfA_27rQbQqaOgCyCjV9jS0iAhzyC_sZEdz4LUR8i2tk0D7hw4kuPcyuYm7it6ZpScTQttEXStAwsOoU7hEdNM50yDX8guDwUSRwjujIRKFtVSLGv74_xhlOfCV8&pli=1&authuser=0

In that case, what has SimpleSAMLphp to do here? You should definitely check with Google why you are getting this error, and how to fix it. I’m afraid there’s not much we can do here...

—

[Samrudhdi Gadre]

I was hoping that there was a missing IdP setting for an error page that the SP could display when the IdP returns that the user is not authorized, instead of displaying the Broken Robot Google IdP page with the cryptic error.

I am using the below code to call SimpleSAMLphp - 

<?php 

require_once('<simplesamlphpPath>/lib/_autoload.php');

$as = new SimpleSAML_Auth_Simple('default-sp');

if (!$as->isAuthenticated()) {

$as->requireAuth();

$as->login(array(

    'saml:idp' => 'https://accounts.google.com/o/saml2?idpid=<GoogleAccountId>',

));

}

?>

I even tried setting the ErrorURL parameter for login, but that not working either.

Thanks

On Wed, Jan 31, 2018 at 8:44 AM, Jaime Perez Crespo <jaime...@uninett.no> wrote: