0
votes

I have SAML single sign-on configured in my Google Apps account, allowing users of my web application to redirect seamlessly to Google Apps with no additional sign-in required.

This works as expected when the mapped Google Apps user was created by hand in the admin portal.

The issue arises when I create users via the Admin SDK Directory API (which I invoke using Service Account credential). The user is created in suspended status with reason WEB_LOGIN_REQUIRED. Browsing the user in the admin portal indicates that the user will be prompted to authenticate via phone when they attempt to sign in.

When the API-created user is redirected to Google Apps for SAML sign on from my app, a Google page is displayed in the browser stating:

This account has been disabled We are unable to process your request at this time, please try again later.

This happens before Google Apps redirects back to my app for SAML auth. I verified that the user is being provisioned with a valid mobile phone number. Attempting to create the user with suspended=false is ignored.

Any ideas on how to complete SSO with API-created user accounts would be appreciated!

2

2 Answers

0
votes

I'd suggest contacting Google support to determine why the accounts are being suspended by Google (not by the admin) at creation time. This is not normal/expected behavior and may indicate that Google's servers suspect your domain may be a spambot or such.

0
votes

I have a potential resolution. When I first saw your post it echoed the same problem I was having and at the time Google support was not in the least bit helpful (I tried to post a query to see if you had found a resolution but it was rejected by stackoverflow, so you may have already solved it - if it is the same problem I describe below, you most certainly would have by now, but this could be useful for others).

In my particular case I had just upgraded from the free Google service to a paid service to activate access to the API. What was not clear was that the upgrade actually started a 30 trial - during this time users created through the API may be automatically be suspended in the way you've described (and with SSO enabled the user is not directed to an activation page when they login). This was the case for me. You can forego the trial (there is a link to do this in the Google admin console) and when I did this users created through the API were created as normal (not suspended). There is a rumour that the first 10 would be suspended but after that the suspension does not apply. I'm not sure if that is the case as I had already created more than 10 users prior to stumbling over the solution.