Google SAML app_not_configured_for_user/相当于 prompt=select_account SAML [英] Google SAML app_not_configured_for_user / equivalent of prompt=select_account SAML

问题描述

我将 Gsuite 用作 Saml IDP，以在内部应用上对我单位的用户进行身份验证.

I'm using Gsuite as an Saml IDP to authentify users of my organisation on internal apps.

一切正常，除了一点:当我的一位用户仅使用他/她的个人帐户登录时，Google 将失败:

Everything is working fine, except for one point: when one of my users if logged in with his/her personal account only, Google will fail with:

403 错误:app_not_configured_for_user

403 Error: app_not_configured_for_user

这是有道理的，因为该应用仅供内部用户使用，但我希望能够强制 Google saml 身份验证显示帐户选择器，即使用户已经登录到一个帐户 因为这对于带有 prompt=select_account 的 oauth2 是可能的.

This makes sense as the app is intended to be used by internal users only, but I would like to be able to force Google saml authentication to display the account selector even if the user is already logged in to one account as this is possible for oauth2 with prompt=select_account.

有什么方法可以使 SAML 具有相同的行为?

Any way to have the same behavior with SAML ?

我实际上设法通过使用来实现我想要的

I actually managed to achieve what I want by using

https://accounts.google.com/AccountChooser/?continue=$SAML_REQUEST$

https://accounts.google.com/AccountChooser/?continue=$SAML_REQUEST$

<小时>

这是在 ruby​​ on rails 中进行适配的代码片段(使用 ruby-saml)

config/initializers/saml_override.rb

module OneLogin
  module RubySaml
    class Authrequest < SamlMessage
      GOOGLE_ACCOUNT_CHOOSER_URL = "https://accounts.google.com/AccountChooser?continue="
      alias_method :old_create, :create
      def create(settings, params = {})
        self.old_create(settings, params)
        @login_url = GOOGLE_ACCOUNT_CHOOSER_URL + CGI.escape(@login_url)
      end
    end
  end
end

推荐答案

class SamlController < ApplicationController

  def init
    request = OneLogin::RubySaml::Authrequest.new
    redirect = request.create(saml_settings)

    # google doesn't support ForceAuthn so we have to redirect requests to the account chooser first
    google_account_url_chooser = "https://accounts.google.com/AccountChooser?continue="
    if redirect.include?("https://accounts.google.com")
      encoded_redirect = CGI.escape(redirect)
      redirect = "#{google_account_url_chooser}#{encoded_redirect}"
    end

    redirect_to(redirect)
  end

  def saml_settings 
    ...
  end
end

这篇关于Google SAML app_not_configured_for_user/相当于 prompt=select_account SAML的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！