Hi,
instead auf Azure I want to use Google for authentication but it is not working yet. I get the following error:
403 app_not_configured_for_user
Google says:
Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.
I am not sure where to find the saml:Issuer tag in the SAMLRequest... Anyway, does this work in general for anyone and is able to help?
Thanks a lot!
Kay
EDIT
With Azure SAML auth is working. The funny thing is, that we authenticate with Google SSO to Azure, so it works in the end with the Google Workspace account.
Again: I want to realize this with Google directly. Any idea?
Solved! Go to solution.
Thank you for your help. I figured it out after some tests with Azure SAML and Google SAML. While Azure was working instantly for Google it seems like it took a while...
When I configured the domain like you recommended in Meraki Client VPN SAML settings, it was showing up an XML file in the little AnyConnect auth window without any options. So that was not the trick, at least not for Google SAML auth.
So in the end I have done it like this (might be interesting for others who want to do the same):
In Google Workspace
On Meraki side
When testing the app in Google with the button "TEST SAML LOGIN" it should show up the following in a new browser tab:
So, in the end this is working really nice and smooth. In my opinion it was like this in the very beginning but not working as I might did not wait long enough for Google and changed setting before one of the providers was ready to go and so I think I ended up in a loop of errors without giving the systems a change to take over properly. Or maybe it was the additional blank after the Entity ID in the Google SAML conf that it ended up in an URL mismatch.
Anyway, if there are any questions, feel free to ask. 🙂
I have zero experience with Google.
The Entity ID presented by the Meraki system to Google with be:
https://xxx.dynamic-m.com/saml/sp/metadata/SAML
Where "xxx" is your DDNS hostname. Google will need this exact Entity ID, otherwise, it will give an error like you have indicated.
The other thing striking me is the error "app_not_configured_for_user". This also sounds like the user has not been authorised in Google to use this app.
Thank you for your help. I figured it out after some tests with Azure SAML and Google SAML. While Azure was working instantly for Google it seems like it took a while...
When I configured the domain like you recommended in Meraki Client VPN SAML settings, it was showing up an XML file in the little AnyConnect auth window without any options. So that was not the trick, at least not for Google SAML auth.
So in the end I have done it like this (might be interesting for others who want to do the same):
In Google Workspace
On Meraki side
When testing the app in Google with the button "TEST SAML LOGIN" it should show up the following in a new browser tab:
So, in the end this is working really nice and smooth. In my opinion it was like this in the very beginning but not working as I might did not wait long enough for Google and changed setting before one of the providers was ready to go and so I think I ended up in a loop of errors without giving the systems a change to take over properly. Or maybe it was the additional blank after the Entity ID in the Google SAML conf that it ended up in an URL mismatch.
Anyway, if there are any questions, feel free to ask. 🙂
Thanks for the detailed post. I've been having a lot of trouble with this particular set up.
The really tricky part is that about 30% of the time, I can connect to the VPN using Google SAML auth, but the rest of the time I get "app_not_configured_for_user"
In the logs on the Google side, the times it failed I can see the SAML request came in, but there is no "Application name" in the log. It's like it was an incomplete request?
The TEST SAML LOGIN button seems to always work, so I suspect it's something in the AnyConnect Client?
When I tested this with AzureAD, it opens the AnyConnect browser helper app (acwebhelper.exe) each time, and I have to log in each time.
When I switch the XML in the Maraki config back to Google, it never asks me to log back in, it's like it's saved the credentials somewhere and I can't clear the cache?
Using AnyConnect Client v 4.10.05085
I'm hoping someone might be able to shed some light on what's going on?