Learn to fix the error “Google SAML SSO – 403 app_not_configured_for_user”. Our Google Cloud Support team is here to help you with your questions and concerns.

Google SAML SSO – 403 app_not_configured_for_user

According to our Experts, the “app_not_configured_for_user” error occurs in different cases when setting up Single Sign-On (SSO) with SAML. Here are some common reasons:

• The application corresponding to the entity ID in the SSO request has not been created in the Google Admin console.
• The entity ID provided in the SAML request does not match any of the entity IDs of installed applications.
• If the SP ID in the IdP-initiated URL has been tampered with, it can cause the error.

Solutions

1. SSO in Incognito Mode

1. First, open an incognito window and attempt the SSO login.
2. If the login is successful, the issue might be that you’re using an incorrect Google account.

2. Verify the WordPress SAML SSO Plugin Configuration

1. Ensure the WordPress SAML SSO Plugin is correctly installed and configured before initiating an SSO request.
2. Confirm that the SP entity ID in the Service Provider Metadata tab matches the Entity ID configured in Google Apps.

3. Check User Assignment in Google Apps

If the issue persists, it may be due to improper user assignment in Google Apps. Follow these steps:

1. First, log in to admin.google.com with the G Suite administrator account.
2. Head to Apps > Web and Mobile Apps.
3. Select the configured application in the IDP section.
4. Click on Off for everyone in the User Access section and then select ON for everyone.

4. Fix Passport-SAML Configuration

If we use `passport-saml`, set `googleAuth: true` in the configuration. This ensures users are redirected to the Google account selection page during authorization.

5. Debugging Common Configuration Issues

• Enable organization-wide permission to allow all users access.
• Verify the `EntityId` value—if it includes `/Acs`, remove it from both the Service Provider (SP) configuration and IDP settings.
• Re-upload the `metadata.xml` file to your Service Provider.

6. Browser and Account Authentication Issues

• Try logging in from Google Chrome, as Google SAML authentication often works best in Chrome.
• If using an Android device, add the G Suite account under Settings > Accounts and retry the login.

7. Sign in with the Correct Google Account

1. Click the Google icon in the same browser window where we got the error.
2. Sign out if we are using the wrong Google account.
3. Then, sign in with the correct SAML-enabled Google account.
4. Return to the application and retry authentication.
5. Once authentication is successful, we can log out and switch back to our original account.

8. Clearing Application-Specific Data

If we are using Keeper Password Manager, delete the stored cookies from:

Look for a similar folder in the application and clear it to remove potential conflicts.

9. Ensure the Correct `saml:Issuer` Value

Verify that the `saml:Issuer` tag in the SAMLRequest matches the Entity ID configured in the Google Admin console. The value is case-sensitive, so double-check for any discrepancies.

[Need assistance with a different issue? Our team is available 24/7.]

Conclusion

Following the above troubleshooting steps can resolve the “app_not_configured_for_user” error in SAML SSO setups.

In brief, our Support Experts demonstrated how to fix “Google SAML SSO – 403 app_not_configured_for_user”.