I have SAML single sign-on configured in my Google Apps account, allowing users of my web application to redirect seamlessly to Google Apps with no additional sign-in required.
This works as expected when the mapped Google Apps user was created by hand in the admin portal.
The issue arises when I create users via the Admin SDK Directory API (which I invoke using Service Account credential). The user is created in suspended status with reason WEB_LOGIN_REQUIRED. Browsing the user in the admin portal indicates that the user will be prompted to authenticate via phone when they attempt to sign in.
When the API-created user is redirected to Google Apps for SAML sign on from my app, a Google page is displayed in the browser stating:
This account has been disabled We are unable to process your request at this time, please try again later.
This happens before Google Apps redirects back to my app for SAML auth. I verified that the user is being provisioned with a valid mobile phone number. Attempting to create the user with suspended=false is ignored.
Any ideas on how to complete SSO with API-created user accounts would be appreciated!