SAML Configuration with GSuite (Google)
1,295 views
Skip to first unread message
Benjamin BINIER
Jun 24, 2020, 4:53:10 AM6/24/20
to jorani
Hello,
I'm trying to configure SAML in Jorani using Google Suite as IdP but I can't get it working.
Here is an overview of my GoogleIDPMetadata file provided by Google Suite:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2?idpid=xxxyyyzzz" validUntil="YYYY-MM-DDTHH:mm:SS.000Z">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data> <ds:X509Certificate>
xxxxxxxxxxxxxxx</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/o/saml2/idp?idpid=xxxyyyzzz"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=xxxyyyzzz"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
And here is what I configure in jorani/application/config/saml.php:
<?php
/**
* SAML Configuration file (for Onelogin PHP Library)
* Full documentation is available at https://developers.onelogin.com/saml/php
* @copyright Copyright (c) 2014-2018 Benjamin BALET
* @license http://opensource.org/licenses/AGPL-3.0 AGPL-3.0
* @link https://github.com/bbalet/jorani
* @since 0.5.0
*/
//You must switch $config['saml_enabled'] to TRUE into config/config.php prior using SAML
//Field Mapping : how to get the e-mail
$samlMailMap = 'User.email';
//You shouldn't change the 'sp' sub-array, but only the content of 'idp' sub-array
//Sp is specific to the application (Jorani)
//Idp is specific to your identity provider
$settingsInfo = array(
'sp' => array(
'entityId' => base_url() . 'metadata',
'assertionConsumerService' => array(
'url' => base_url() . 'api/acs',
),
'singleLogoutService' => array(
'url' => base_url() . 'api/sls',
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
),
'idp' => array(
'entityId' => 'https://accounts.google.com/o/saml2/idp?idpid=xxxyyyzzz',
'singleSignOnService' => array(
'url' => 'https://accounts.google.com/o/saml2/idp?idpid=xxxyyyzzz',
),
'singleLogoutService' => array(
'url' => 'https://accounts.google.com/o/saml2/idp?idpid=xxxyyyzzz',
),
'x509cert' => '-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxx
-----END CERTIFICATE-----',
),
);
On Google suite side, I've tried to configure my application URL as https://myhost.mydomain.com or as https://myhost.mydomain.com/api/sso but I don't see any difference, I'm still facing the same error:
Error: app_not_configured_for_user
Service is not configured for this user.
Request Details
I've tested with Jorani v0.6.5 and with a clone from master but the result is the same.
Do you have any leads ?
Thanks.
Benjamin BALET
Jun 24, 2020, 5:05:38 AM6/24/20
to jorani
Last time I encountered this issue, the application was actually not allowed for the test user.
Another time, I've just waited 4h or so for the permission to be propagated on GSuite users.
Another from Google support website (but it would require you to debug at protocol level: https://support.google.com/a/answer/6301076?hl=en):
403 app_not_configured_for_user
To resolve the 403 app_not_configured_for_user error:
Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.
--
You received this message because you are subscribed to the Google Groups "jorani" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jorani+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/589e477a-57d4-4714-8476-97f00e9f4878o%40googlegroups.com.
Benjamin BINIER
Jun 24, 2020, 10:30:58 AM6/24/20
to jorani
Thanks for your help.
I've managed to get SAML working by using:
- jorani from master branch
- following parameters on GSuite:
- ACS URL: https://myhost.mydomain.com/api/acs
- Entity ID: https://myhost.mydomain.com/api/metadata
- Start URL: https://myhost.mydomain/
And by relying on email address to map usernames.
Thanks again !
Benoit Martinez
Jan 27, 2021, 2:25:28 PM1/27/21
to jorani
Hello
Finally, how do you map email to what attributes of the app in Google SAML application ?
Because i'v got the same error "403. That’s an error.Error: app_not_configured_for_user Service is not configured for this user.'
with this saml.php :
'sp' => array(
'entityId' => base_url() . 'api/metadata',
'assertionConsumerService' => array(
'url' => base_url() . 'api/acs',
),
'singleLogoutService' => array(
'url' => base_url() . 'api/sls',
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
),
'idp' => array(
'entityId' => 'https://accounts.google.com/o/saml2?idpid=XXXXXXXXX',
'singleSignOnService' => array(
),
'singleLogoutService' => array(
'url' => '',
),
'x509cert' => '-----BEGIN CERTIFICATE-----
XXXXXXXXX
-----END CERTIFICATE-----',
),
Thanks
----------------------------------------------
अभिषेक नागर SM IET Lucknow
Apr 29, 2021, 9:11:48 AM4/29/21
to jorani
I was able configure SAML the Login is working fine, but when i click Logout i get the following message
You have logged out of Jorani but are still logged into your Identity Provider. Click on Login to automatically log back into Jorani.
When i even logout from GSuite and i visit Jorani i am logged in.
Help Needed
Regards
Benjamin BALET
Apr 29, 2021, 9:14:14 AM4/29/21
to jorani
Google doesn't support the SAML logout scenario.
The sign-out URL you configure in Google is where it will redirect to. This is a simple HTTP Get rather than a SAML logout request.
Institute of Engineering & Technology,
Sitapur Road, Lucknow -226021 Uttar Pradesh, IndiaYouTube : https://bit.ly/2VU63Jz
Facebook : https://www.facebook.com/ietlko
Twitter : https://twitter.com/iet_lucknow
Linkedin : https://www.linkedin.com/school/ietlucknow/
Telegram : https://t.me/ietlucknowbot
--
You received this message because you are subscribed to the Google Groups "jorani" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jorani+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/3d128848-2629-4c73-ae3b-ac5f4637abfbn%40googlegroups.com.
अभिषेक नागर
Apr 29, 2021, 9:16:22 AM4/29/21
to jor...@googlegroups.com
What is a way around to logout user from Jorani what URL should we use as logout URL. So that when the user visits the login page again a GSuite Login screen is presented instead continuing the last session.
To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/CAPFJBOQ%2BUi%3D1bhcKXpynHMrOn%2BA3yLVe4BZs4VRdz4qrDWCEeA%40mail.gmail.com.
Benjamin BALET
Apr 29, 2021, 9:17:51 AM4/29/21
to jorani
The PHP session is destroyed at logout.
Are you sure that the Jorani session is not ended?
To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/CAPf81ts54ATPmpuXAX15DV%2B%2B-az1xGf1TjWn1AGNM206hocz_w%40mail.gmail.com.
अभिषेक नागर
Apr 29, 2021, 9:20:57 AM4/29/21
to jor...@googlegroups.com
Yes its not ending
Scenario
1) Click Logout in Jorani results to /api/slo page with a message You have logged out of Jorani but are still logged into your Identity Provider. Click on Login to automatically log back into Jorani.
2) Sign Out from G Suite
3) Revisit Jorani /api/slo click on Login the User Logs in
To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/CAPFJBOSLGO1NVyhh%2BvrrcEAfy74r1p7V_06uDoL%2Bd8TanhREHA%40mail.gmail.com.
Benjamin BALET
Apr 29, 2021, 10:39:49 AM4/29/21
to jorani
These are two different things.
What happens if you click on logout (from Jorani), and then manually enter the url of Jorani, for example https://myjorani.test.com/ ? Is the user connected or has it to login again ?
To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/CAPf81tvFYJod%2BsK6V022OTQMCX0o-0BTo9NOPj_Po6ko_FN3mQ%40mail.gmail.com.
अभिषेक नागर
Apr 29, 2021, 10:44:02 AM4/29/21
to jor...@googlegroups.com
The user is connected no Login Screen is visible.
The user is successfully logged in automatically.
To view this discussion on the web visit https://groups.google.com/d/msgid/jorani/CAPFJBORoRAZ_PxaFUSUNcEFG1uSs0Dx0XRPDnmL%3DixkSFnF2sg%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages