Google SSO SAML not working #2738

New Issue

OVERLORD · 2026-02-05T04:58:14+03:00

OVERLORD commented

2026-02-05 04:58:14 +03:00

Originally created by @CodilX on GitHub (Apr 2, 2022).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

I followed the SAML guide https://www.youtube.com/watch?v=szweYsAow88 and set it up the same way, but for Google.

However it doesn't work. Trying the "Test SAML Login" in the Google Admin Dashboard throws the following error:

That’s an error.

Error: not_a_saml_app

Provided application is not a SAML app

Request Details
idpid=***
spid=***
forceauthn=false

That’s all we know.

Trying to login in Bookstack results in this error:

That’s an error.

Error: app_not_configured_for_user

Service is not configured for this user.

Request Details
idpid=***
SAMLRequest=***
RelayState=https://domain.com/saml2/acs

That’s all we know.

.env:

AUTH_METHOD=saml2
SAML2_NAME="Google SSO"
SAML2_EMAIL_ATTRIBUTE=email
SAML2_EXTERNAL_ID_ATTRIBUTE=id
SAML2_DISPLAY_NAME_ATTRIBUTES=first_name|last_name
SAML2_IDP_ENTITYID=https://accounts.google.com/o/saml2?idpid=***
SAML2_AUTOLOAD_METADATA=false
SAML2_IDP_SSO=https://accounts.google.com/o/saml2/idp?idpid=***
SAML2_IDP_x509="-----BEGIN CERTIFICATE----- *** -----END CERTIFICATE-----"
SAML2_IDP_AUTHNCONTEXT=true

Google:

ACS URL: https://domain.com/saml2/acs
Entity ID: https://domain.com/saml2/metadata

Name ID format => EMAIL
Name ID => Basic Information > Primary email

Mappings:
Primary email => email
First name => first_name
Last name => last_name
Employee ID => id

I noticed that the Name ID format in Bookstack is by default emailAddress. I tried using the default one and manually changing it to email but it didn't help anything.

I made sure to set my account to be able to use the added SAML app.

Is this a Bookstack issue? A Google configuration issue? I'm stumped.

Exact BookStack Version

v22.03

Log Content

No response

PHP Version

7.4

Hosting Environment

Apache, Debian

Originally created by @CodilX on GitHub (Apr 2, 2022). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario I followed the SAML guide https://www.youtube.com/watch?v=szweYsAow88 and set it up the same way, but for Google. However it doesn't work. Trying the "Test SAML Login" in the Google Admin Dashboard throws the following error: > 403. That’s an error. > > Error: not_a_saml_app > > Provided application is not a SAML app > > Request Details > idpid=*** > spid=*** > forceauthn=false > > That’s all we know. Trying to login in Bookstack results in this error: > 403. That’s an error. > > Error: app_not_configured_for_user > > Service is not configured for this user. > > Request Details > idpid=*** > SAMLRequest=*** > RelayState=https://domain.com/saml2/acs > > That’s all we know. .env: ``` AUTH_METHOD=saml2 SAML2_NAME="Google SSO" SAML2_EMAIL_ATTRIBUTE=email SAML2_EXTERNAL_ID_ATTRIBUTE=id SAML2_DISPLAY_NAME_ATTRIBUTES=first_name|last_name SAML2_IDP_ENTITYID=https://accounts.google.com/o/saml2?idpid=*** SAML2_AUTOLOAD_METADATA=false SAML2_IDP_SSO=https://accounts.google.com/o/saml2/idp?idpid=*** SAML2_IDP_x509="-----BEGIN CERTIFICATE----- *** -----END CERTIFICATE-----" SAML2_IDP_AUTHNCONTEXT=true ``` Google: > ACS URL: https://domain.com/saml2/acs > Entity ID: https://domain.com/saml2/metadata > > Name ID format => EMAIL > Name ID => Basic Information > Primary email > > Mappings: > ``` > Primary email => email > First name => first_name > Last name => last_name > Employee ID => id > ``` I noticed that the Name ID format in Bookstack is by default `emailAddress`. I tried using the default one and manually changing it to `email` but it didn't help anything. I made sure to set my account to be able to use the added SAML app. Is this a Bookstack issue? A Google configuration issue? I'm stumped. ### Exact BookStack Version v22.03 ### Log Content _No response_ ### PHP Version 7.4 ### Hosting Environment Apache, Debian

OVERLORD added the 🐕 Support label 2026-02-05 04:58:14 +03:00

OVERLORD closed this issue

2026-02-05 04:58:21 +03:00

OVERLORD commented

2026-02-05 04:58:26 +03:00

@ssddanbrown commented on GitHub (Apr 3, 2022):

Hi @CodilX,

Trying to login in Bookstack results in this error:
app_not_configured_for_user

Have you followed the google documentation here for that message?

Other than that, I'm not sure what to suggest as I'm not that familiar with Google environments for SAML.
Both of these seem like google-side issues, but I can't be sure. Some sources indicate some of these errors may be due to a fresh SAML auth app being set-up, and sometimes you might need to wait a day for things to start working? Might be worth trying again now.

@ssddanbrown commented on GitHub (Apr 3, 2022): Hi @CodilX, > Trying to login in Bookstack results in this error: > app_not_configured_for_user Have you followed the [google documentation here for that message](https://support.google.com/a/answer/6301076?hl=en)? Other than that, I'm not sure what to suggest as I'm not that familiar with Google environments for SAML. Both of these seem like google-side issues, but I can't be sure. Some sources indicate some of these errors may be due to a fresh SAML auth app being set-up, and sometimes you might need to wait a day for things to start working? Might be worth trying again now.

OVERLORD commented

2026-02-05 04:58:36 +03:00

@CodilX commented on GitHub (Apr 3, 2022):

Logging out and in didn't help, but for whatever reason logging in an incognito window made everything work!

I'm guessing some aggressive caching on Google's end was the culprit.

@CodilX commented on GitHub (Apr 3, 2022): Logging out and in didn't help, but for whatever reason logging in an **_incognito window_** made everything work! I'm guessing some aggressive caching on Google's end was the culprit.

OVERLORD commented

2026-02-05 04:58:40 +03:00

@Mazvy commented on GitHub (Apr 7, 2022):

@ssddanbrown Can confirm this issue regarding the 403 app_not_configured_for_user error.

It seems that when using an incognito window it does allow users to login via SAML, however in a non incognito window, regardless of whether they logout/login out of their Google account - it doesn't work.

I tried prepending https://accounts.google.com/AccountChooser?continue= to the redirect URL in the hopes that the selection screen triggers some Google session update - to no avail.

public function login(): array
{
   $toolKit = $this->getToolkit();
   $returnRoute = url('/saml2/acs');

   return [
      //'url' => $toolKit->login($returnRoute, [], false, false, true),
      'url' => 'https://accounts.google.com/AccountChooser?continue=' . urlencode($toolKit->login($returnRoute, [], false, false, true)),
      'id'  => $toolKit->getLastRequestID(),
   ];
}

It does feel like a Google cache issue. However the weird thing is that just logging out and back in again doesn't solve this issue, only an incognito window does. Afterwards jumping back to a regular session - it still doesn't work and the users gets that 403 app_not_configured_for_user error.

Our SAML app has been enabled for less than 24 hours. My hope is that this will resolve itself as it does seem to be tied with Google account sessions. But perhaps there is a way to force Google to forcefully recheck/recache/etc if a user has access to an application over SAML - be it through Google Admin or the SAML ACS query?

The main problem here is that if a user is added to a group that has permission to access BookStack - will it take days for their account session (or something) to update in order for them to be able to login properly without having to resort to incognito windows?

@Mazvy commented on GitHub (Apr 7, 2022): @ssddanbrown Can confirm this issue regarding the `403 app_not_configured_for_user` error. It seems that when using an incognito window it _does_ allow users to login via SAML, however in a non incognito window, regardless of whether they logout/login out of their Google account - it doesn't work. I tried prepending `https://accounts.google.com/AccountChooser?continue=` to the redirect URL in the hopes that the selection screen triggers some Google session update - to no avail. ```php public function login(): array { $toolKit = $this->getToolkit(); $returnRoute = url('/saml2/acs'); return [ //'url' => $toolKit->login($returnRoute, [], false, false, true), 'url' => 'https://accounts.google.com/AccountChooser?continue=' . urlencode($toolKit->login($returnRoute, [], false, false, true)), 'id' => $toolKit->getLastRequestID(), ]; } ``` It does _feel_ like a Google cache issue. However the weird thing is that just logging out and back in again doesn't solve this issue, only an incognito window does. Afterwards jumping back to a regular session - it **_still_** doesn't work and the users gets that `403 app_not_configured_for_user` error. Our SAML app has been enabled for less than 24 hours. My hope is that this will resolve itself as it does seem to be tied with Google account sessions. But perhaps there is a way to force Google to forcefully recheck/recache/etc if a user has access to an application over SAML - be it through Google Admin or the SAML ACS query? The main problem here is that if a user is added to a group that has permission to access BookStack - will it take days for their account session (or something) to update in order for them to be able to login properly without having to resort to incognito windows?

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2738