Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Having multiple Google accounts (using the hd parameter) #598

Open
Biganon opened this issue Oct 9, 2024 · 4 comments
Open

Having multiple Google accounts (using the hd parameter) #598

Biganon opened this issue Oct 9, 2024 · 4 comments

Comments

@Biganon
Copy link

Biganon commented Oct 9, 2024

I'm using Google as an SAML IdP for my app.

It works, but when a user has 2 Google accounts (say, one for work and one for leisure), during the login process they see the account chooser. This doesn't really make sense, because we know we want to choose the address that ends with @mycompany.com .

Worse : if they pick the wrong account (the one that isn't configured to work with my app), they get an error, and still get a cookie according to which this account should be used, and they can't reach the account chooser anymore...

According to this link, Google accepts an hd parameter with the domain name you want to automatically pick, and it works great.

Only problem is, it only works on the account chooser page. That's not the page on which we land when connecting with SAML (https://accounts.google.com/o/saml2/something). When adding the hd parameter to this URL (which php-saml lets us do easily with the parameters argument of the login method), it is encoded with the rest of the URL, and passed to the account chooser, as a GET parameter called continue. Therefore the account chooser doesn't receive the actual hd parameter... in other words, the account chooser's url is like https://accounts.google.com/AccountChooser/signinchooser?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Fsaml2%2Fcontinue%3Fidpid%3Dblah_blah_encoded_url%2Fhd%3Dmy_hd_parameter

Any idea what we could do?

Thanks in advance

PS : if I'm not being clear enough, please just see the link I've included, and consider that I would like to achieve exactly what it is that they're doing, but while using php-saml)

@Biganon Biganon changed the title Having multiple Google accounts Having multiple Google accounts (using the hd parameter) Oct 9, 2024
@Biganon
Copy link
Author

Biganon commented Oct 9, 2024

Cf. #213 , same issue.

It is indeed a problem on Google's side, but I feel like a simple solution with php-saml either already exists (and I haven't found it yet), or would be feasible.

@pitbulk
Copy link
Contributor

pitbulk commented Oct 10, 2024

If you are sending a SAMLRequest via HTTP-Redirect

https://accounts.google.com/o/saml2?idpid=xx&hd=yy

and you end at

https://accounts.google.com/AccountChooser/signinchooser?continue=

It is clear that Google has not recognized the hd parameter.

I tried to search an official Google doc describing hd, but only found references to the OIDC protocol.

If you are trying to execute an SP-initiated flow, what happens if rather than using an AuthNRequest authentication, you instead redirect the user to:

https://accounts.google.com/AccountChooser/signinchooser?hd=yy&continue=(<SP_initiated_SSO_URL>)

Example:

https://accounts.google.com/AccountChooser/signinchooser?hd=domain.com&continue=https%3A%2F%2Fsp.example%2Fsaml%2Flogin

Maybe if the user selected the account, is not asked again to select the account.

Alternative: Have you tried to send the email in the NameID

So basically at your app you request user for its email, and then build the AuthNRequest to include that parameter. I have no tested but maybe that bypasses the need of AccountChooser.

See nameIdValueReq

@Biganon
Copy link
Author

Biganon commented Oct 10, 2024

If you are trying to execute an SP-initiated flow, what happens if rather than using an AuthNRequest authentication, you instead redirect the user to [...]

Yup that's what I'm trying to achieve now, but I feel like it implies modifying the lib itself, to "manually" build the AccountChooser URL with whatever weird combination of triply-urlencoded parameters Google is using at this step

@Biganon
Copy link
Author

Biganon commented Oct 23, 2024

Here's a dirty hack I've made that solves the problem, allowing you to append &hd=example.com at the end of the SSO URL. If someone feels like cleaning it up and making a PR, feel free.
google_hd_parameter.patch.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants