Google SAML app_not_configured_for_user/等同于hint = select_account SAML [英] Google SAML app_not_configured_for_user / equivalent of prompt=select_account SAML

问题描述

我将Gsuite用作Saml IDP，以在内部应用程序上对组织的用户进行身份验证.

I'm using Gsuite as an Saml IDP to authentify users of my organisation on internal apps.

一切正常，除了以下几点:如果我的一位用户使用自己的个人帐户仅登录，则Google会失败，并显示以下信息:

Everything is working fine, except for one point: when one of my users if logged in with his/her personal account only, Google will fail with:

403错误:app_not_configured_for_user

403 Error: app_not_configured_for_user

这很有意义，因为该应用程序仅供内部用户使用，但是我希望能够强制Google saml身份验证显示帐户选择器，即使用户已经登录到一个帐户因为对于具有提示= select_account 的oauth2，这是可能的.

This makes sense as the app is intended to be used by internal users only, but I would like to be able to force Google saml authentication to display the account selector even if the user is already logged in to one account as this is possible for oauth2 with prompt=select_account.

是否可以通过SAML拥有相同的行为?

Any way to have the same behavior with SAML ?

我实际上通过使用

https://accounts.google.com/AccountChooser/?continue= $SAML_REQUEST $

https://accounts.google.com/AccountChooser/?continue=$SAML_REQUEST$

---

这是在ruby on rails上进行改编的代码段(使用 ruby​​-saml )

config/initializers/saml_override.rb

module OneLogin
  module RubySaml
    class Authrequest < SamlMessage
      GOOGLE_ACCOUNT_CHOOSER_URL = "https://accounts.google.com/AccountChooser?continue="
      alias_method :old_create, :create
      def create(settings, params = {})
        self.old_create(settings, params)
        @login_url = GOOGLE_ACCOUNT_CHOOSER_URL + CGI.escape(@login_url)
      end
    end
  end
end

推荐答案

class SamlController < ApplicationController

  def init
    request = OneLogin::RubySaml::Authrequest.new
    redirect = request.create(saml_settings)

    # google doesn't support ForceAuthn so we have to redirect requests to the account chooser first
    google_account_url_chooser = "https://accounts.google.com/AccountChooser?continue="
    if redirect.include?("https://accounts.google.com")
      encoded_redirect = CGI.escape(redirect)
      redirect = "#{google_account_url_chooser}#{encoded_redirect}"
    end

    redirect_to(redirect)
  end

  def saml_settings 
    ...
  end
end

这篇关于Google SAML app_not_configured_for_user/等同于hint = select_account SAML的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！