Google SAML app_not_configured_for_user/相当于 prompt=select_account SAML [英] Google SAML app_not_configured_for_user / equivalent of prompt=select_account SAML
问题描述
我将 Gsuite 用作 Saml IDP,以在内部应用上对我单位的用户进行身份验证.
I'm using Gsuite as an Saml IDP to authentify users of my organisation on internal apps.
一切正常,除了一点:当我的一位用户仅使用他/她的个人帐户登录时,Google 将失败:
Everything is working fine, except for one point: when one of my users if logged in with his/her personal account only, Google will fail with:
403 错误:app_not_configured_for_user
403 Error: app_not_configured_for_user
这是有道理的,因为该应用仅供内部用户使用,但我希望能够强制 Google saml 身份验证显示帐户选择器,即使用户已经登录到一个帐户 因为这对于带有 prompt=select_account 的 oauth2 是可能的.
This makes sense as the app is intended to be used by internal users only, but I would like to be able to force Google saml authentication to display the account selector even if the user is already logged in to one account as this is possible for oauth2 with prompt=select_account.
有什么方法可以使 SAML 具有相同的行为?
Any way to have the same behavior with SAML ?
我实际上设法通过使用来实现我想要的
I actually managed to achieve what I want by using
https://accounts.google.com/AccountChooser/?continue=$SAML_REQUEST$
https://accounts.google.com/AccountChooser/?continue=$SAML_REQUEST$
<小时>
这是在 ruby on rails 中进行适配的代码片段(使用 ruby-saml)
config/initializers/saml_override.rb
module OneLogin
module RubySaml
class Authrequest < SamlMessage
GOOGLE_ACCOUNT_CHOOSER_URL = "https://accounts.google.com/AccountChooser?continue="
alias_method :old_create, :create
def create(settings, params = {})
self.old_create(settings, params)
@login_url = GOOGLE_ACCOUNT_CHOOSER_URL + CGI.escape(@login_url)
end
end
end
end
推荐答案
class SamlController < ApplicationController
def init
request = OneLogin::RubySaml::Authrequest.new
redirect = request.create(saml_settings)
# google doesn't support ForceAuthn so we have to redirect requests to the account chooser first
google_account_url_chooser = "https://accounts.google.com/AccountChooser?continue="
if redirect.include?("https://accounts.google.com")
encoded_redirect = CGI.escape(redirect)
redirect = "#{google_account_url_chooser}#{encoded_redirect}"
end
redirect_to(redirect)
end
def saml_settings
...
end
end
这篇关于Google SAML app_not_configured_for_user/相当于 prompt=select_account SAML的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!