Closed morganrowse closed 5 months ago
alexeiser
commented
1 year ago I believe Google's SAML can only be used by members of your workspace. Since the people in question are not in your workspace, Google is showing the error message. You should bring this up with your Google support contacts.
nandubatchu
commented
5 months ago Hey @morganrowse were you able to get some response from Google support? I am facing the same problem and am interested to understand how you resolved this situation!
ChrisPates
commented
5 months ago I don’t believe you can. So whilst external users can be members of groups their authentication is federated with their Google directory.
When IAM IdC SAMlv2 federates with the Google directory instance it can auth users local to that directory but it doesn’t support federated auth via SAMLv2.
Whilst you could (sort of) create these users in the identity store, they wouldn’t be able to auth as all auth must be via SAMl when using an external IdP.
This is why we have to filter out any external users when syncing groups.
If you get additional from your support cases, I would appreciate you sharing anything that might over come this limitation.
Kind regards,
Chris
On 19 Mar 2024, at 20:38, Yadunandan Batchu @.***> wrote:
Hey @morganrowse were you able to get some response from Google support? I am facing the same problem and am interested to understand how you resolved this situation!
— Reply to this email directly, view it on GitHub https://github.com/awslabs/ssosync/issues/136#issuecomment-2008085962 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ABVULYJWORZ5MCOKX5YTIXDYZCO2PAVCNFSM6AAAAAA2BMLW62VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBYGA4DKOJWGI . You are receiving this because you modified the open/close state. https://github.com/notifications/beacon/ABVULYK2CJBEENYRKVV5GFLYZCO2PA5CNFSM6AAAAAA2BMLW62WGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTXWD24U.gif Message ID: @.***>
Hi and thank you for this awesome code!
We are trying to configure AWS SSO so that it will federate Google Workspace users AND externally mapped group users so that we can federate access for external domains to AWS accounts. All federated and managed by Google Workspace Groups and not manually like the default behavior of AWS SSO.
What we have
A primary Google Workspace, with domain like internal.com
Multiple secondary external and independent Google Workspaces like external.com external.org
When creating a Google group on the primary Google Workspace. you can make it included external users like mygroup@internal.com:
The hope is that as the SAML application is tied to the Google group, meaning we could federate external users
However SSO Sync will not add the users to AWS SSO as seen in the logs
Regardless, when signing into AWS SSO as an external user. Google shows the error
It would be awesome if this was possible or if we could even add manual users to AWS SSO in addition to the automated provisioned ones via SSOSync.
Something like a variable that allows adding manual users that dont need to go through the SAML flow.