This looks like a message from de Google IdP, which makes sense if someone uses a personal account instead of the Workspace account. That StackOverflow is more about people forcing to sign-in rather than doing a seamless automatic sign-on; it doesn't help if someone signs in with the wrong account.
From the Google IdP perspective, I see why they are doing that and pointing back to your SP (which is wrongly configured in the Google personal account context). What you would be looking for is a way to instruct Google to ONLY accept logins for your Workspace, but unsure if that is possible. With Azure/Entra ID there are similar issues if someone logs in with an account from another organization, and don't think the message is much more descriptive.
I think educating your users, put maybe additional information on your own sign-in page, or having the sign in error easily found in your knowledgebase/help pages is best achievable. But others may have found a more elegant solution?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jan 10, 2025 02:55 PM
From: KK7
Subject: Handling onboarding/web logins with users who logged in with incorrect SAML/OAuth credentials
A few years ago, I looked at configuring our Bring Your Own Device (BYOD) Wi-Fi captive portal to utilize SAML authentication from Google since it would better align with how users authenticate elsewhere in our institution. I used the Onboard and Cloud Identity Providers document to successfully create an Aruba Guest Web Login example that could log users in with SAML authentication. After performing login tests through the Web Login, I discovered an issue where users could input personal Google credentials into the login prompt and receive a 403 app_not_configured_for_user message from Google. Once the 403 error is given to a device, getting an option from Google to log in with a different account is tough. Since BYOD equipment is logging into this captive portal, the chance that the user could mistakenly input their personal Google account into the SAML authentication is high.
I've looked to see if there is a method of forcing users always to log in when they reach a SAML webpage but I haven't had much luck with any of the suggestions (StackOverflow examples 1 & 2). I have considered performing the OAuth implementation using the Cloud Identity option, but I believe the same issue exists.
I am curious how others handle incorrect credentials being passed to SAML from a ClearPass web login. Right now, my current captive portal utilizes LDAPS through on-premises Active Directory as a workaround since it won't accept anything but institution credentials but I would like it to use a more modern cloud-based authentication method from Google or Microsoft Azure to use instead.
Environment Details
- Google Workspace for Education
- Aruba ClearPass 6.11.9.259693
- Aruba Central with WAPs running AOS-10