AnyConnect SAML Auth with Google Workspace error 403

Solved
kaschi
Conversationalist

AnyConnect SAML Auth with Google Workspace error 403

Hi,

 

instead auf Azure I want to use Google for authentication but it is not working yet. I get the following error:

 

403 app_not_configured_for_user

 

Google says:

 

 

Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.

 

 

I am not sure where to find the saml:Issuer tag in the SAMLRequest... Anyway, does this work in general for anyone and is able to help?

Thanks a lot!
Kay

 

EDIT

With Azure SAML auth is working. The funny thing is, that we authenticate with Google SSO to Azure, so it works in the end with the Google Workspace account. 

 

Again: I want to realize this with Google directly. Any idea?

1 Accepted Solution
kaschi
Conversationalist

Thank you for your help. I figured it out after some tests with Azure SAML and Google SAML. While Azure was working instantly for Google it seems like it took a while... 

 

When I configured the domain like you recommended in Meraki Client VPN SAML settings, it was showing up an XML file in the little AnyConnect auth window without any options. So that was not the trick, at least not for Google SAML auth.

 

So in the end I have done it like this (might be interesting for others who want to do the same):

 

In Google Workspace

 

  1. New user definded SAML app
  2. Configure as follows:

    kaschi_1-1648570490435.png
  3. Enable App for OU and/or Group. I just enabled it for everybody.
  4. Important: don't choose "Signed response", I was struggling with that as well.

 

 

 

On Meraki side

 

  1. Enable AnyConnect
  2. Configure as follows:

    kaschi_2-1648570674624.png

     

  3. Configure remaining settings as needed.

 

When testing the app in Google with the button "TEST SAML LOGIN" it should show up the following in a new browser tab:

 

kaschi_3-1648571194881.png

 

So, in the end this is working really nice and smooth. In my opinion it was like this in the very beginning but not working as I might did not wait long enough for Google and changed setting before one of the providers was ready to go and so I think I ended up in a loop of errors without giving the systems a change to take over properly. Or maybe it was the additional blank after the Entity ID in the Google SAML conf that it ended up in an URL mismatch. 

 

Anyway, if there are any questions, feel free to ask. 🙂

 

View solution in original post

3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal

I have zero experience with Google.

 

The Entity ID presented by the Meraki system to Google with be:

https://xxx.dynamic-m.com/saml/sp/metadata/SAML

Where "xxx" is your DDNS hostname.  Google will need this exact Entity ID, otherwise, it will give an error like you have indicated.

 

The other thing striking me is the error "app_not_configured_for_user".  This also sounds like the user has not been authorised in Google to use this app.

kaschi
Conversationalist

Thank you for your help. I figured it out after some tests with Azure SAML and Google SAML. While Azure was working instantly for Google it seems like it took a while... 

 

When I configured the domain like you recommended in Meraki Client VPN SAML settings, it was showing up an XML file in the little AnyConnect auth window without any options. So that was not the trick, at least not for Google SAML auth.

 

So in the end I have done it like this (might be interesting for others who want to do the same):

 

In Google Workspace

 

  1. New user definded SAML app
  2. Configure as follows:

    kaschi_1-1648570490435.png
  3. Enable App for OU and/or Group. I just enabled it for everybody.
  4. Important: don't choose "Signed response", I was struggling with that as well.

 

 

 

On Meraki side

 

  1. Enable AnyConnect
  2. Configure as follows:

    kaschi_2-1648570674624.png

     

  3. Configure remaining settings as needed.

 

When testing the app in Google with the button "TEST SAML LOGIN" it should show up the following in a new browser tab:

 

kaschi_3-1648571194881.png

 

So, in the end this is working really nice and smooth. In my opinion it was like this in the very beginning but not working as I might did not wait long enough for Google and changed setting before one of the providers was ready to go and so I think I ended up in a loop of errors without giving the systems a change to take over properly. Or maybe it was the additional blank after the Entity ID in the Google SAML conf that it ended up in an URL mismatch. 

 

Anyway, if there are any questions, feel free to ask. 🙂

 

Sam2000
New here

Thanks for the detailed post. I've been having a lot of trouble with this particular set up.

The really tricky part is that about 30% of the time, I can connect to the VPN using Google SAML auth, but the rest of the time I get "app_not_configured_for_user"

In the logs on the Google side, the times it failed I can see the SAML request came in, but there is no "Application name" in the log. It's like it was an incomplete request?

The TEST SAML LOGIN button seems to always work, so I suspect it's something in the AnyConnect Client?

When I tested this with AzureAD, it opens the AnyConnect browser helper app (acwebhelper.exe) each time, and I have to log in each time.

When I switch the XML in the Maraki config back to Google, it never asks me to log back in, it's like it's saved the credentials somewhere and I can't clear the cache?

 

Using AnyConnect Client v 4.10.05085

 

I'm hoping someone might be able to shed some light on what's going on?

Get notified when there are additional replies to this discussion.