Is any of this helpful information? See attached too
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/cee1e74c5734404c8161d6dc4cb94e5e.png)
This is the contents of the last one that's red:
GET https://accounts.google.com/o/saml2/idp?from_login=1&zt=ChQ4dFJtWUUwWUhWb3BVN3BsUUVVWRIfSTdFOWpxSHpraWdVQUM5OEZDVDNmUC0wM1dFYzd4Zw%E2%88%99AOlG-isAAAAAZiKKXMN11mA1XbNiDQwk315nmxQEC8Zx&as=6-4m2_KTyfXA5GnRTaaQDxnpwVfnNbwHVh0A6zchNPY&pli=1&authuser=3 HTTP/1.1 Upgrade-Insecure-Requests: 1 DNT: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Chrome-ID-Consistency-Request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=7d5250bf-f5b9-4f95-b9df-aeee7dcf2565,sync_account_id=116556480131613263487,signin_mode=all_accounts,signout_mode=show_confirmation X-Client-Data: CIi2yQEIprbJAQipncoBCPLbygEIlaHLAQiFoM0BCLOFzgEI8IfOARizqcoBGPbJzQEYmPXNARjS/s0BGNiGzgEY642lFw== Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123" sec-ch-ua-mobile: ?0 sec-ch-ua-full-version: "123.0.6312.123" sec-ch-ua-arch: "x86" sec-ch-ua-platform: "Windows" sec-ch-ua-platform-version: "15.0.0" sec-ch-ua-model: "" sec-ch-ua-bitness: "64" sec-ch-ua-wow64: ?0 sec-ch-ua-full-version-list: "Google Chrome";v="123.0.6312.123", "Not:A-Brand";v="8.0.0.0", "Chromium";v="123.0.6312.123" Referer: https://accounts.google.com/AccountChooser/signinchooser?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Fsaml2%2Fidp%3Ffrom_login%3D1%26zt%3DChQ4dFJtWUUwWUhWb3BVN3BsUUVVWRIfSTdFOWpxSHpraWdVQUM5OEZDVDNmUC0wM1dFYzd4Zw%25E2%2588%2599AOlG-isAAAAAZiKKXMN11mA1XbNiDQwk315nmxQEC8Zx%26as%3D6-4m2_KTyfXA5GnRTaaQDxnpwVfnNbwHVh0A6zchNPY<mpl=popup&btmpl=authsub&scc=1&oauth=1&theme=mn&ddm=0&flowName=GlifWebSignIn&flowEntry=AccountChooser Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: SMSV=ADHTe-A2xbLttaM90RJI7qCP4AeTlwD70XxYjw67V89yxQXomdxPz82XST9YzsmCOMsfHfzMXadPbCm7fSe_FQXfZR928jXfS3KdaihcTglFonZP8lhN9Wj_WQ-SA8-r76vbV2qWYFQhwSHoThlZFldgswwjOgqR5pAJG2NqsmgiNgC8t6XHi8z10BM_nIc7p54sdcxxcCp2; LSOLH=_SVI_ENfToNDlyoQDGA8iP01BRURIZl9xRVB6SDZ6N3VUdUF2Yk45bFUzeVF1bXRxbklkOEprVWd2Z1c1NU0tYlVFOENvWVJ4NVh0MmlWbw_:28483547:fbfd; OTZ=7479135_76_80_104160_76_446820; SEARCH_SAMESITE=CgQI3poB; ACCOUNT_CHOOSER=AFx_qI6Jl0PaFmsc0H0SOG6UnfvATxobB9UpKLK5_xoMcQGpjeeFTO1EOzNBAqzKVHgKkUk-jaVf0_MFXqVWuQKPI4gX_EhrP-ueuvLrz8MyPT1z4fbp2PBgQrlPwn8IhLwEiv1U7VY6LQSb17MZH44Tu-iXfPZI68BN4qKhcST_orj-TgGDPbDm4G0Mv4ZIQbC10i8tZbxL9Z8GMdN9UJP1SXDeCdZrrMoedxVsJ58gx98jVgeKhyEqip1ztdoYJVbuWu4FcBdWwFAuQcDGkDnzU0LolEY93XTx6Fu6yMytvf9fwLKR4gCVlHFAz_TdqX-my8H5YjPZgNsSTOKAf2EfjRzNAccjXHLbjCu5LulRVhVFqd40IWirfhkaPbcg0GBNkkMJCx3B7l6LaFQrJcrzcHwCQ3rbAA; user_id=116556480131613263487; SID=g.a000iggbzvbiQygCuqYOKEKZUXq7Qh20DkHPLqd70nz-_ce29nrn4x3vcrKTYxOO1yHYbeJzLQACgYKAQ8SAQASFQHGX2MixdMEBAETS6pf2Z9Yx4XJTBoVAUF8yKqg2Me28eNlzxQus5Y4rMlG0076; __Secure-1PSID=g.a000iggbzvbiQygCuqYOKEKZUXq7Qh20DkHPLqd70nz-_ce29nrnGHa1ncRado4kzfLDN4EWWgACgYKAcYSAQASFQHGX2MiCQxA-l4b13pQSQqqwAJHEhoVAUF8yKrMnZBBtrHJULMRSN_fpW9S0076; __Secure-3PSID=g.a000iggbzvbiQygCuqYOKEKZUXq7Qh20DkHPLqd70nz-_ce29nrn6jBiqsPCuQ86RMpdYxQETgACgYKAakSAQASFQHGX2MioJkzHGuwogzN27vnc7Mc3xoVAUF8yKrsLzNp69GQ-asPeWHOaxWH0076; LSID=o.admin.google.com|o.calendar.google.com|o.chat.google.com|o.chromewebstore.google.com|o.console.cloud.google.com|o.drive.fife.usercontent.google.com|o.drive.google.com|o.gds.google.com|o.groups.google.com|o.mail.google.com|o.meet.google.com|o.myaccount.google.com|o.photos.fife.usercontent.google.com|o.photos.google.com|o.play.google.com|o.remotedesktop.google.com|o.store.google.com|o.timeline.google.com|s.youtube:g.a000iggbzuG71MCZ6DZuU6SKJCZF_KXxfwALPX1J3su8p4_TujkRmlJ8FbDBVz8yI2a6e2VptgACgYKAUYSAQASFQHGX2MiMQHzMzRoF75XoUgOscou1hoVAUF8yKoOyJhU20T1Qi0YWg2ftU5v0076; __Host-1PLSID=o.admin.google.com|o.calendar.google.com|o.chat.google.com|o.chromewebstore.google.com|o.console.cloud.google.com|o.drive.fife.usercontent.google.com|o.drive.google.com|o.gds.google.com|o.groups.google.com|o.mail.google.com|o.meet.google.com|o.myaccount.google.com|o.photos.fife.usercontent.google.com|o.photos.google.com|o.play.google.com|o.remotedesktop.google.com|o.store.google.com|o.timeline.google.com|s.youtube:g.a000iggbzuG71MCZ6DZuU6SKJCZF_KXxfwALPX1J3su8p4_TujkRd2ebuxeLwaPryYkOM3eNNAACgYKAecSAQASFQHGX2MioeWnbm4bkdjPE08E01S1txoVAUF8yKpcaFQz2_2PK2DKFXwYtuzD0076; __Host-3PLSID=o.admin.google.com|o.calendar.google.com|o.chat.google.com|o.chromewebstore.google.com|o.console.cloud.google.com|o.drive.fife.usercontent.google.com|o.drive.google.com|o.gds.google.com|o.groups.google.com|o.mail.google.com|o.meet.google.com|o.myaccount.google.com|o.photos.fife.usercontent.google.com|o.photos.google.com|o.play.google.com|o.remotedesktop.google.com|o.store.google.com|o.timeline.google.com|s.youtube:g.a000iggbzuG71MCZ6DZuU6SKJCZF_KXxfwALPX1J3su8p4_TujkReWEZxEmHeegK67UiXsbLOgACgYKAQYSAQASFQHGX2MithVsQ4uKSZPrUCirtfJt5RoVAUF8yKrejTDsN4izKew5YCIWrAcI0076; HSID=A1fGqgZV8FrXL9-aD; SSID=AeKvcannXg-Q-0o1v; APISID=Zbj9yGSSMj5DpQ2F/AMri-L3GviyAm14hv; SAPISID=6n6KQKe3bSE042uE/AdRlOfbO-PuVwDBJC; __Secure-1PAPISID=6n6KQKe3bSE042uE/AdRlOfbO-PuVwDBJC; __Secure-3PAPISID=6n6KQKe3bSE042uE/AdRlOfbO-PuVwDBJC; NID=513=NY5ZluNzq6NXzHI949yC0lP0Ac_grXaxIjD3-PzEdVHfjk4RHTN8eI3fmamJvpDy3nntvyJygqAd0lSisYwdEsrT0-gTKpMMa4t2lIzAr5mhsefA06xawxaJw8foi3Ei0vg3y0H3yL4ExPtWQMlH0Ni9j00srHvSt6JR2yxUEw6yA1bTW2Tg_DQaGQhKd228fu0-NCH84bTuluPCGLKN5FSSG9FLbOgbC1l032FmwP3J-RyfxjoUqvfmnP60R0AuOXU9lnBlHp1LiElnB9YF85D2JlEw1BCIGEV17oZ9sLWBuM6IKm8LBIm_kL-P4ylBy0DTD9paGFfdW-ZFsR8zBjiMgSlUyr-SG0rt4sOyVEwxT2nsnDZbv8tiu9Fv5GuuxXFUk7i9l-MylxD4u9kd-xbehD0WCadASsm_c_8vIlNIRQmqmUV0xTzQTlVgkIFBsIRrYMHHZaM9QJjtTFgw2ZqTUjN-5kmsZlCTHoGgYJoSBr6P86d7R13sxrrWqxnTmM00chcjhwkxGbN1uG-TG8puXvkIGKBq3m4daI0YT01xx53CbBGjvw; AEC=AQTF6Hw9Zh9fO-IXJ3mAAiFKLgN8AXAeikCsGVS-MGO7fn5SYzDkeKFp4fo; __Secure-1PSIDTS=sidts-CjIB7F1E_CRMKb3QsrBc_OnovOI_YS9CR-H0Kn92MuMtWNAFREbLvXnjPu_pTQ06cGvPGxAA; __Secure-3PSIDTS=sidts-CjIB7F1E_CRMKb3QsrBc_OnovOI_YS9CR-H0Kn92MuMtWNAFREbLvXnjPu_pTQ06cGvPGxAA; __Host-GAPS=1:X0EsxcOxb9rDRcmELds84RSQe4F9lhUGUMfBe_Yq0CFG_oVY7x-9rVUjx7ggXT7sAP74ROgnPGDunsyx3-NFYaKa0YOZ8sbLscYRgMJSu-pB-g:Mma65pp1GuGAqNmG; SIDCC=AKEyXzXgswRIFSvtRsbbKSWNX-Bw_CLWHJDgPPjVjEYpLJTdOZSXqTkMY9cJD_JSfxjsC80AjvE; __Secure-1PSIDCC=AKEyXzVNV1lDRAW_gh7WZ-3pbYHFE61OBegW0ix5LgOEZUFUjommvK6R7eOvwMAnyCM-zyYfCWw; __Secure-3PSIDCC=AKEyXzUiQBJ9YlZxuDI32pWDwtZzWLJIpFKEPyPyrixP69Pwax_U14yzfNnoekiiK7-zgIJtyhb-
HTTP/1.1 403 content-type: text/html; charset=utf-8 cache-control: no-cache, no-store, max-age=0, must-revalidate pragma: no-cache expires: Mon, 01 Jan 1990 00:00:00 GMT date: Thu, 18 Apr 2024 15:14:40 GMT content-language: en-US content-security-policy: require-trusted-types-for 'script';report-uri /o/cspreport content-security-policy: script-src 'report-sample' 'nonce-1ceoCRMHYWfYPYfE3HSwGg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /o/cspreport content-encoding: gzip server: ESF x-xss-protection: 0 x-frame-options: SAMEORIGIN x-content-type-options: nosniff alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Original Message:
Sent: Apr 18, 2024 03:33 AM
From: Florian_Baaske
Subject: ClearPass SSO With Google Workspace using SAML - RelayState missing/invalid
Can you check with a saml tracer (browser plugin) if the information exchanged are correct?
------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de
Original Message:
Sent: Apr 17, 2024 07:53 PM
From: darthandy
Subject: ClearPass SSO With Google Workspace using SAML - RelayState missing/invalid
Yes, DNS matches the FQDN and the SAML app is pointing to the FQDN correctly. ![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/6298074ca7164140a1731182617a7e83.png)
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/42443a5b22974ff39888846bc73766c8.png)
Original Message:
Sent: Apr 17, 2024 04:24 PM
From: Florian_Baaske
Subject: ClearPass SSO With Google Workspace using SAML - RelayState missing/invalid
Can you also check if the host name and fqdn of the ClearPass server has the same entry and reflects your dns name?
both should be cppm.wifinerd.co
------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de
Original Message:
Sent: Apr 17, 2024 09:50 AM
From: darthandy
Subject: ClearPass SSO With Google Workspace using SAML - RelayState missing/invalid
Yes, it's enabled.
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/3e891b16e02c466c9cfa6f227695168d.png)
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/1f3ad2e8d57e4ea0aadb9c85ac9f9e5b.png)
Original Message:
Sent: Apr 17, 2024 02:11 AM
From: Florian_Baaske
Subject: ClearPass SSO With Google Workspace using SAML - RelayState missing/invalid
Hi, have you enabled the app for the in google workspace? At least the first error from google indicates this.
------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de
Original Message:
Sent: Nov 20, 2023 11:32 PM
From: darthandy
Subject: ClearPass SSO With Google Workspace using SAML - RelayState missing/invalid
Hello,
From a very basic level, I am trying to get ClearPass SSO to work with Google G Suite. I've followed a couple guides (links below). For now, I am just trying to get admin authentication to work with ClearPass before I get more adventurous with user auth or web logins.
Config:
Basic custom SAML app in Google. The certificate was downloaded and I am pointing CPPM's SSO config to the below ACS. Notice also that the user access is ON for everyone.
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/7cbc3998d2b942e2ac5e871c6a05bbfd.png)
I have this accounts.google.com URL in the ClearPass SSO config (will show later).
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/988bd33e68fe41f58f982bd08ae220a2.png)
More details. I checked the Signed response checkbox, following the guides.
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/c3ad43221be24402ae58533c377002c3.png)
Notice all the settings and how they're following the guides.
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/095da3912e9640178d93e63f4b19db43.png)
And in case this matters (I don't think it does yet considering that I see nothing in Event Viewer or Access tracker regarding this login) here's my service config. Very barebones.
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/fdebdfe8e1514906948d47bef03c2a64.png)
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/e33c447f522a4738b4398db74e3dd216.png)
Now, when I navigate to ClearPass guest, I get redirected to Google's Account Chooser. AWESOME! I click on the account associated with the G Suite account and this is what it returns.
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/6aa0fc239f2b4244b78af65ef0c03eda.png)
Weird. I navigate back to Google and the SAML tab. I click on TEST SAML LOGIN. This is the result.
![](https://higherlogicdownload.s3.amazonaws.com/HPE/MessageImages/4ef11c157f0e46828f09e5f8c433671b.png)
What am I missing here?
Links:
https://support.hpe.com/hpesc/public/docDisplay?docId=a00091071en_us
https://www.flomain.de/2023/05/clearpass-sso/