Google Workspace unexpected behavior

volkswagner · March 2, 2024, 3:05am

I’m experimenting with Google Workspace connector.

Here’s what I’ve observed so far.

If a configured Google user goes to the default home page for UCS like https://ucshost.mydomina.com/univention/portal/#/ and click on the Google Workspace Login button, they can authenticate but are then redirected to https://admin.google.com

I’m running UCS 5.0-6 errata974

How can we prevent being redirected to admin.google.com. Most users won’t have permission.

If I simply change the web address to gmail.com, the user is logged in, so authentication is working. I just don’t know how to prevent the redirect to admin.google.com.

I also get the following error in web browser when trying to log into gmail.com. After entering my gmail workspace email, I get redirected to my ucs sso with the following errro:



Metadata not found

Unable to locate metadata for 'https://accounts.google.com/samlrp/04ju8tnr3jhec5c'

SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => '\'https://accounts.google.com/samlrp/04ju8tnr3jhec5c\'')

Backtrace:
3 lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:299 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaData)
2 lib/SimpleSAML/Metadata/MetaDataStorageHandler.php:319 (SimpleSAML_Metadata_MetaDataStorageHandler::getMetaDataConfig)
1 modules/saml/lib/IdP/SAML2.php:334 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 www/saml2/idp/SSOService.php:19 (N/A)

Starting at gmail.com gives the above error, and when starting with ucs sso I get redirected to google’s admin page. This seems like a bug to me. Should I report it? Being redirected to admin.google.com is similar to an error as most users won’t have access to this page.

volkswagner · March 5, 2024, 2:59pm

Does anyone have this connector working with Google Workspace?

What other troubleshooting steps can I perform?

EDIT:
Just talking to myself out loud here.
I decided to create a test domain on google and perform a fresh install of UCS.
I can reproduce the bug where UCS redirects users to admin.google.com after
signing in via SSO.

If the user goes directly to mail.gooogle.com or any other google page allowing login, the user can be redirected to the UCS SSO login. Once authenticated the user is redirected back to the original URL requesting the sign in, like mail.googl.com or whichever URL they started from.

On the contrary, if the user goes directly to the UCS server to log in… selecting the UCS Google Workspace login button with let them log into Google Workspace, but they are always redirected to admin.google.com.