Google Apps for Work Connector logins fail

danieltturner · November 28, 2017, 7:29pm

I’ve installed the Google Apps for Work Connector. When I try logging into my account using the UCS portal I get a Google error: “G Suite - This service cannot be accessed because your login request contained invalid recipient information. Please log in and try again.”

This worked fine during testing, but we turned off SSO on the G Suite side for a few weeks before we were ready to roll this out company wide. I tried turning SSO back on, received this error, and restarted the setup process.

I’ve verified system time, uninstalled and reinstalled the app from UCS, and went through the setup wizard a number of times to no avail. I also updated all packages and upgraded UCS to 4.2-3 errata231.

Any suggestions?

troeder · November 29, 2017, 9:02am

Hello,

can you verify that the connector connection is established successfully?
(Create a gapps-enabled user in UCS and check if it appears in the Google directory by logging in with an administrative account to the Google Admin Console.)
Check the log file (/var/log/univention/listener.log) for error messages.

Greetings
Daniel Tröder

danieltturner · November 29, 2017, 3:18pm

Yes, I’m able to create and delete accounts in UCS and they are created and deleted in G Suite.

damrose · November 30, 2017, 4:03pm

According to this google support document the SAML response sent to G Suite is not correct. Please test if it makes a difference if you login at the google webinterface with the user login or use the link on the UCS portal page.
For further analysis, one would have to activate debugging in the UCS SAML identity provider and have a look at the assertion that is send to the browser, which sends it to the google loginpage.