-
-
Notifications
You must be signed in to change notification settings - Fork 473
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Having multiple Google accounts (using the hd parameter) #598
Comments
Cf. #213 , same issue. It is indeed a problem on Google's side, but I feel like a simple solution with php-saml either already exists (and I haven't found it yet), or would be feasible. |
If you are sending a SAMLRequest via HTTP-Redirect
and you end at
It is clear that Google has not recognized the hd parameter. I tried to search an official Google doc describing hd, but only found references to the OIDC protocol. If you are trying to execute an SP-initiated flow, what happens if rather than using an AuthNRequest authentication, you instead redirect the user to:
Example:
Maybe if the user selected the account, is not asked again to select the account. Alternative: Have you tried to send the email in the NameID So basically at your app you request user for its email, and then build the AuthNRequest to include that parameter. I have no tested but maybe that bypasses the need of AccountChooser. See nameIdValueReq |
Yup that's what I'm trying to achieve now, but I feel like it implies modifying the lib itself, to "manually" build the AccountChooser URL with whatever weird combination of triply-urlencoded parameters Google is using at this step |
Here's a dirty hack I've made that solves the problem, allowing you to append |
I'm using Google as an SAML IdP for my app.
It works, but when a user has 2 Google accounts (say, one for work and one for leisure), during the login process they see the account chooser. This doesn't really make sense, because we know we want to choose the address that ends with @mycompany.com .
Worse : if they pick the wrong account (the one that isn't configured to work with my app), they get an error, and still get a cookie according to which this account should be used, and they can't reach the account chooser anymore...
According to this link, Google accepts an hd parameter with the domain name you want to automatically pick, and it works great.
Only problem is, it only works on the account chooser page. That's not the page on which we land when connecting with SAML (
https://accounts.google.com/o/saml2/something
). When adding the hd parameter to this URL (which php-saml lets us do easily with theparameters
argument of thelogin
method), it is encoded with the rest of the URL, and passed to the account chooser, as a GET parameter calledcontinue
. Therefore the account chooser doesn't receive the actual hd parameter... in other words, the account chooser's url is likehttps://accounts.google.com/AccountChooser/signinchooser?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Fsaml2%2Fcontinue%3Fidpid%3Dblah_blah_encoded_url%2Fhd%3Dmy_hd_parameter
Any idea what we could do?
Thanks in advance
PS : if I'm not being clear enough, please just see the link I've included, and consider that I would like to achieve exactly what it is that they're doing, but while using php-saml)
The text was updated successfully, but these errors were encountered: