oob9b (oob9b) asked a question.
Issues adding Google Workspaces as an IdP using SAML 2.0
I have added google workspace as an idp and setup routing. I followed the directions of the Add SAML identity provider page. I am trying to use Google as a source provider. We have the same setup with MS Azure, this was setup before I was on the team. When I add a new user to Okta, the user is asked to create a password. This should be not be the case. And when the user logs out of okta and logs back in, they are given the google login page. But no password is works. But Okta logs show login as successful.
Hello @oob9b (oob9b) Thank you for reacting out to our Community!
If the user is asked to sign in into Okta to setup a password, then the user is not routed to the correct IDP. In this case I recommend to review the routing rule and make sure the user is properly routed to the IDP.
For authentication users should not have a password in Okta and just re-routed to their IDP for the authentication.
Community members help others by clicking Like or Select as Best on responses. Try it today.
Follow us at OktaSupport
For both IDP's, they are routed based on domains. olddomain.com users are routed to Azure and newdomain.com is routed to Google. Both have JIT enabled. Not sure if that makes a difference. I've noticed that in Azure after a day or two of adding a new user, it will automatically populate in Okta. So far no user has been automatically imported from Google.
If you are using the IDP setup and JIT for user creation, users are created as soon as they login into Okta and not based on import, because the IDP setup does not support import users. This could be the reason for the users not showing for a few days at a time.
I removed the new user that I added from Okta. Then I tride logging in to Okta as the new user. After entering the new user email address I get the Google login page. When I select the account I get a 403 error from Google - Error: app_not_configured_for_user. Shouldn't it go to back to Okta?
@oob9b (oob9b) Does your application assign by user or group. have you try add it in the group and assign this group for this application.
In Okta, all users are assigned to the everyone group that has 2 applications assigned to it.
@oob9b (oob9b) Does Error: app_not_configured_for_user is throw from google or Okta?
It is coming from Google. I am trying to use Google as a IdP for Okta. I want to assign apps via Okta, not Google.
@oob9b (oob9b) I find some document about this error from google:
https://support.zendesk.com/hc/en-us/articles/4408834302490-Google-SSO-app-not-configured-for-user-error
https://support.google.com/a/answer/6301076
https://stackoverflow.com/questions/58223843/google-saml-sso-403-app-not-configured-for-user-error-when-signed-into-persona
could you check these document. I think it is not Okta setting issue.
I am only trying to use Google as a source provider for IdP. Not as a management tool. Currently we have MS Azure setup as an IdP with SAML. It doesn't require any configuration for a new app that I assign through Okta. I will check with Google, they had directed me to Okta.