GSuite SAML `app_not_configured_for_user` error

[tbarbugli]

I am getting the app_not_configured_for_user error right after the account selection from Google.

According to Google docs

403 app_not_configured_for_user
To resolve the 403 app_not_configured_for_user error:

Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.

Unfortunately this does not seem to be correct as the saml:Issuer bit inside samlp:AuthnRequest matches the value on GSuite side.

I was wondering if anyone had luck using GSuite with python3-saml already and/or if this is a known problem.

Here is the request XML

<samlp:AuthnRequest
  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="ONELOGIN_8486c5065f513b6f1a40f55021d1978822c51c67"
  Version="2.0"
    ProviderName="[ REDACTED provider name]"
  IssueInstant="2021-03-25T19:05:12Z"
  Destination="[ IDP SSO URL ]"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  AssertionConsumerServiceURL="[ SP ACS ]">
    <saml:Issuer>[ SP ENTITY ID ]</saml:Issuer>
    <samlp:NameIDPolicy
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
        AllowCreate="true" />
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

[pitbulk]

have you verified the values are the same? (notice is case-sensitive). Does the value contain localhost or a local IP? (thread)

[IzyI]

Friends try to fight the same mistake. My saml settings.

{
  "strict": true,
  "debug": true,
  "sp": {
    "entityId": "https://siteproxy.ru/metadata/",
    "assertionConsumerService": {
      "url": "https://siteproxy.ru/?acs",
      "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    },
    "singleLogoutService": {
      "url": "https://siteproxy.ru/?sls",
      "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
    },
    "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "x509cert": "",

    "privateKey": ""
  },
  "idp": {
    "entityId": "https://accounts.google.com/o/saml2?idpid=C015v91qo",
    "singleSignOnService": {
      "url": "https://accounts.google.com/o/saml2/idp?idpid=C015v91qo",
      "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
    },
    "singleLogoutService": {
      "url": "https://accounts.google.com/o/saml2/idp?idpid=C015v91qo",
      "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
    },
    "x509cert": "MIIDdDCCAlygAwIBAgIGAX6/8T/CMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMjIwMjAz MTQxNjA0WhcNMjcwMjAyMTQxNjA0WjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN TW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAsvZT9aPBzPsZ9Nd73mzthi+uDtpXrM1kgXFsacqi8fzKmVvC5AedRp4QbDw2d0kf 6p97tCjPV7FfADABNARQqQ38/uTXq6jiZK24FKXiogARna7JKJEKh8+gOkq11G1JV20hpMKyC0DR QH6nUaO6plhRY5LyFO7NNFSSxoyEP4o4i9bclTMLzeCfVkzUU9YQA831E31QeGHrf3Yn84SDrsVs Y8lh8JDLLW/I8M18mGuu6VRWXkRKuDkCzjJAViMphOEH37qyJF7Lr7yJjf6v2Cnkdf1cI8b8rCi0 iPN/Cg6Bszv5UK9RF4lUpQEc3n06M7E0YzXdvav166G02VsWxwIDAQABMA0GCSqGSIb3DQEBCwUA A4IBAQA0c8np2BTJ5h2RrpzT8SAULVn+5ojmIHLsNJg6iB0DCb4PfJNeXqzrLi73L46QHfSwNovl PV76N/m00eYYc3ThG2fhQJ/XhgyrT9ghe0VrzdLB1TLZS+IvmCbN75EMXr0VODp5bKl1uH+xc2+/ K60vi1RUR61jJaBZs5nad06SsD8k0vhEP5VLsrcLZjkKem1/hQec5F0i1Seo8SuKUNzbxeTLqdzz 7H2IIld39xN+hX3qL4AvrKgtI/ub1PV48Hhth+MozupcyyPTe8fAepGJSHYWS5LGi43+hyRds7Rf pDOhTCR6kEWAaM/vg/0+tovk7I+qFuX7w7bbL7poONiv"
  }
}

my samltracer

What could I have missed?

[IzyI]

@tbarbugli have you solved this problem?

[pitbulk]

Have you solved this issue? Otherwise reopen the issue