Troubleshoot single sign-on (SSO)

This document provides steps to resolve mutual error messages encountered during the integration or use of SAML-based single sign-on (SSO) with Google Workspace when Google is the service provider (SP).

Configuration and Activation

"This domain is not configured to use single sign-on."

This mistake typically indicates that you're trying to use single sign-on with a Standard (Free) Edition of G Suite, which doesn't support SSO. If you're certain that you're using a Google Workspace edition that supports SSO, bank check the configuration in your identity provider to ensure that you take entered your Google Workspace domain name correctly.

"This business relationship cannot be accessed considering the domain is incorrectly configured. Please attempt again later on."

This mistake indicates you haven't ready up SSO correctly in the Google Admin console. Delight review the following steps to right the situation:

  1. In the Admin console, go toSecurityand thenSet upward single sign-on (SSO) with a third political party IdP, and check theSet up up SSO with third-party identity provider box.
  2. Provide URLs for your organization's sign-in page, sign-out page, and change password page in the corresponding fields.
  3. Choose and upload a valid verification document file.
  4. Click Save, wait a few minutes for your changes to take event, and test your integration again.

Parsing the SAML Response

"The required response parameter SAMLResponse was missing"

This error message indicates that your Identity Provider is non providing Google with a valid SAML response of some kind. This problem is well-nigh certainly due to a configuration issue in the Identity Provider.

  • Check your Identity Provider logs and brand sure that in that location is nothing preventing it from correctly returning a SAML Response.
  • Ensure that your Identity Provider is not sending Google Workspace an encrypted SAML Response. Google Workspace only accepts SAML Responses that are unencrypted. In particular, please notation that Microsoft's Active Directory Federation Services ii.0 often sends encrypted SAML Responses in default configurations.

"The required response parameter RelayState was missing"

The SAML 2.0 specification requires that Identity Providers retrieve and send back a RelayState URL parameter from Resource Providers (such as Google Workspace). Google Workspace provides this value to the Identity Provider in the SAML Asking, and the exact contents tin differ in every login. For authentication to complete successfully, the exact RelayState must be returned in the SAML Response. According to the SAML standard specification, your Identity Provider should not modify the RelayState during the login flow.

  • Diagnose this issue further by capturing HTTP headers during a login endeavour. Extract the RelayState from the HTTP headers with both the SAML Request and Response, and make sure that the RelayState values in the Request and Response match.
  • Near commercially-available or open-source SSO Identity Providers transmit the RelayState seamlessly by default. For optimum security and reliability, we recommend that you lot use one of these existing solutions and cannot offer support for your own custom SSO software.

Contents of the SAML Response

"This service cannot exist accessed because your login request independent invalid [destination|audience|recipient] information. Please log in and try over again."

This fault indicates that the destination,audition or recipient elements in the SAML exclamation contained invalid data or were empty. All elements must be included in the SAML exclamation. Check the post-obit table for descriptions and examples for each element.

Element <Audience>
Clarification URI that identifies the intended audience which requires the value of ACS URI. Note: element value cannot be empty
Required Value https://www.google.com/a/<instance.com>/acs
Example

<saml:Conditions NotBefore="2014-11-05T17:31:37Z"
NotOnOrAfter="2014-11-05T17:37:07Z">
<saml:AudienceRestriction>
<saml:Audition>https://www.google.com/a/example.com/acs
</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
Element Destination attribute of the <StatusResponseType> type
Description URI the SAML assertion is sent to. Optional, merely if declared it will need a value of the ACS URI.
Required Value https://world wide web.google.com/a/<example.com>/acs
Example

<saml:Response
xmlns:samlp="urn:oasis:names:tc:SAML:two.0:protocol"
xmlns:saml="urn:haven:names:tc:SAML:ii.0:exclamation"
ID="7840062d379d82598d87ca04c8622f436bb03aa1c7"
Version="ii.0"
IssueInstant="2014-11-05T17:32:07Z"
Destination="https://world wide web.google.com/a/example.com/acs"
InResponseTo="midihfjkfkpcmbmfhhoehbokhbkeapbbinldpeen">
Element Recipient attribute of <SubjectConfirmationData>
Description
  • Defines the entity intended to receive the Subject field.
  • Required aspect, which must contain the ACS URI.
  • Instance sensitive.
Required Value https://www.google.com/a/<example.com>/acs
Case

<saml:Subject>
<saml:NameID SPNameQualifier="google.com/a/instance.com"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:e-mail">user@example.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:haven:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2014-11-05T17:37:07Z"
Recipient="https://www.google.com/a/example.com/acs"
InResponseTo="midihfjkfkpcmbmfhjoehbokhbkeapbbinldpeen"/>
</saml:SubjectConfirmation>
</saml:Subject>

For details of all the required elements, delight review the article SSO assertion requirements.

"This service cannot be accessed because your login asking contained no recipient information. Please log in and effort again."

This mistake ordinarily indicates that the SAML Response from your Identity Provider lacks a readable Recipient value (or that the Recipient value is incorrect). The Recipient value is an of import component of the SAML Response.

  1. Diagnose this issue farther past capturing HTTP headers during a login attempt.
  2. Extract the SAML Request and Response from the HTTP headers.
  3. Ensure that the Recipient value in the SAML Response exists and that information technology matches the value in the SAML Request.

Annotation: this error message may besides appear as "This service cannot be accessed because your login asking contained invalid recipient information. Please log in and effort again."

"This account cannot be accessed because the login credentials could not be verified."

This error indicates a trouble with the certificates you're using to sign the authentication flow. It ordinarily means the private central used to sign the SAML Response doesn't match the public key document that Google Workspace has on file.

Information technology tin can also occur if your SAML Response doesn't contain a feasible Google Accounts username. Google Workspace parses the SAML Response for a XML element chosen a NameID, and expects this element to incorporate a Google Workspace username or a full Google Workspace e-mail address.

  • Ensure that y'all've uploaded a valid certificate to Google Workspace, and if necessary replace the certificate. In the Google Admin console, get toSecurityand thenSet up single sign-on (SSO) with a 3rd political party IdP and click Supplant certificate.
  • If yous're using a full email accost in your NameID element (you lot must exist if yous are using SSO with a multidomain Apps surround), ensure that the Format attribute of the NameID element specifies that a full electronic mail address is to be used, as in the following example: Format="urn:oasis:names:tc:SAML:2.0:nameid-format:e-mail"
  • Ensure that you lot're populating the NameID element with a valid username or email address. To be sure, excerpt the SAML Response yous're sending to Google Workspace, and check the value of the NameID element.
  • NameID is instance-sensitive: ensure that the SAML Response is populating NameID with a value that matches the instance of the Google Workspace username or e-mail address.
  • If your Identity Provider is encrypting your SAML Assertion, disable encryption.
  • Ensure that the the SAML Response doesn't include whatever not-standard ASCII characters. This issue most commonly occurs in the DisplayName, GivenName, and Surname attributes in the AttributeStatement, for example:
    • <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
      <AttributeValue>Blüte, Eva</AttributeValue> </Attribute>
    • <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
      <AttributeValue>Blüte</AttributeValue> </Attribute>

For more information on how to format the NameID chemical element, run into SSO assertion requirements.

"This service cannot be accessed considering your login credentials have expired. Please log in and try again."

For security reasons, the SSO login menstruum must complete inside a certain timeframe, or authentication volition neglect. If the clock on your Identity Provider is incorrect, well-nigh or all login attempts will announced to be out of the acceptable timeframe, and authentication will fail with the above error message.

  • Check the clock on your Identity Provider's server. This fault is almost always caused by the Identity Provider's clock existence incorrect, which adds wrong timestamps to the SAML Response.
  • Re-sync the Identity Provider server clock with a reliable internet time server. When this issue of a sudden occurs in a production environment, it is typically because the last fourth dimension sync failed, causing the server time to become inaccurate. Repeating the time sync (possibly with a more reliable time server) will quickly remedy this issue.
  • This issue can besides occur if you are re-sending SAML from a previous login attempt. Examining your SAML Request and Response (obtained from HTTP header logs captured during a login attempt) can help you debug this further.

"This service cannot be accessed because your login credentials are not all the same valid. Delight log in and endeavor once again."

For security reasons, the SSO login period must complete within a certain timeframe, or authentication will fail. If the clock on your Identity Provider is wrong, nearly or all login attempts volition appear to be out of the acceptable timeframe, and authentication will fail with the above mistake bulletin.

  • Bank check the clock on your Identity Provider'southward server. This error is almost always caused past the Identity Provider'due south clock being incorrect, which adds incorrect timestamps to the SAML Response.
  • Re-sync the Identity Provider server clock with a reliable net fourth dimension server. When this issue of a sudden occurs in a production surroundings, information technology is typically because the last time sync failed, causing the server time to become inaccurate. Repeating the fourth dimension sync (possibly with a more than reliable time server) will quickly remedy this outcome.

Was this helpful?

How tin nosotros improve it?