Google SSO SAML not working

[CodilX]

Attempted Debugging

• I have read the debugging page

Searched GitHub Issues

• I have searched GitHub for the issue.

Describe the Scenario

I followed the SAML guide https://www.youtube.com/watch?v=szweYsAow88 and set it up the same way, but for Google.

However it doesn't work. Trying the "Test SAML Login" in the Google Admin Dashboard throws the following error:

403. That’s an error.

Error: not_a_saml_app

Provided application is not a SAML app

Request Details
idpid=***
spid=***
forceauthn=false

That’s all we know.

Trying to login in Bookstack results in this error:

403. That’s an error.

Error: app_not_configured_for_user

Service is not configured for this user.

Request Details
idpid=***
SAMLRequest=***
RelayState=https://domain.com/saml2/acs

That’s all we know.

.env:

AUTH_METHOD=saml2
SAML2_NAME="Google SSO"
SAML2_EMAIL_ATTRIBUTE=email
SAML2_EXTERNAL_ID_ATTRIBUTE=id
SAML2_DISPLAY_NAME_ATTRIBUTES=first_name|last_name
SAML2_IDP_ENTITYID=https://accounts.google.com/o/saml2?idpid=***
SAML2_AUTOLOAD_METADATA=false
SAML2_IDP_SSO=https://accounts.google.com/o/saml2/idp?idpid=***
SAML2_IDP_x509="-----BEGIN CERTIFICATE----- *** -----END CERTIFICATE-----"
SAML2_IDP_AUTHNCONTEXT=true

Google:

ACS URL: https://domain.com/saml2/acs
Entity ID: https://domain.com/saml2/metadata

Name ID format => EMAIL
Name ID => Basic Information > Primary email

Mappings:

Primary email => email
First name => first_name
Last name => last_name
Employee ID => id

I noticed that the Name ID format in Bookstack is by default emailAddress. I tried using the default one and manually changing it to email but it didn't help anything.

I made sure to set my account to be able to use the added SAML app.

Is this a Bookstack issue? A Google configuration issue? I'm stumped.

Exact BookStack Version

v22.03

Log Content

No response

PHP Version

7.4

Hosting Environment

Apache, Debian

[ssddanbrown]

Hi @CodilX,

Trying to login in Bookstack results in this error:
app_not_configured_for_user

Have you followed the google documentation here for that message?

Other than that, I'm not sure what to suggest as I'm not that familiar with Google environments for SAML.
Both of these seem like google-side issues, but I can't be sure. Some sources indicate some of these errors may be due to a fresh SAML auth app being set-up, and sometimes you might need to wait a day for things to start working? Might be worth trying again now.

[CodilX]

Logging out and in didn't help, but for whatever reason logging in an incognito window made everything work!

I'm guessing some aggressive caching on Google's end was the culprit.

[Mazvy]

@ssddanbrown Can confirm this issue regarding the 403 app_not_configured_for_user error.

It seems that when using an incognito window it does allow users to login via SAML, however in a non incognito window, regardless of whether they logout/login out of their Google account - it doesn't work.

I tried prepending https://accounts.google.com/AccountChooser?continue= to the redirect URL in the hopes that the selection screen triggers some Google session update - to no avail.

public function login(): array
{
   $toolKit = $this->getToolkit();
   $returnRoute = url('/saml2/acs');

   return [
      //'url' => $toolKit->login($returnRoute, [], false, false, true),
      'url' => 'https://accounts.google.com/AccountChooser?continue=' . urlencode($toolKit->login($returnRoute, [], false, false, true)),
      'id'  => $toolKit->getLastRequestID(),
   ];
}

It does feel like a Google cache issue. However the weird thing is that just logging out and back in again doesn't solve this issue, only an incognito window does. Afterwards jumping back to a regular session - it still doesn't work and the users gets that 403 app_not_configured_for_user error.

Our SAML app has been enabled for less than 24 hours. My hope is that this will resolve itself as it does seem to be tied with Google account sessions. But perhaps there is a way to force Google to forcefully recheck/recache/etc if a user has access to an application over SAML - be it through Google Admin or the SAML ACS query?

The main problem here is that if a user is added to a group that has permission to access BookStack - will it take days for their account session (or something) to update in order for them to be able to login properly without having to resort to incognito windows?