Issue with Google Workspace SSO Using SAML with Only One Active Session

Problem statement

With a Google Workspace as the SAML IdP, and an active Google session that is not part of the SAML connection, it returns the error Application is not setup for the user instead of allowing the user to login to a different user.

Steps to reproduce

  1. The user has one active session on Google, as e.g.
  2. The user logs in example platform as
  3. Auth0 sees that domain corresponds to the Google Workspace SAML connection so it redirects to the Google IdP
  4. Google uses the active session to log the user in, but isn’t part of the @example Workspace, so it returns the Application is not setup for the user" error.
  5. The user needs either to logout from or login a new session as (in Google).
  6. If the user has one (and only one) open session, Google doesn’t prompt the user for which session to use (either the active one or a new one)


SAML IdPs do not support upstream parameters. See Pass Parameters to Identity Providers for more details.


Unfortunately, there is no solution. Usually, the app can prompt the user to select their account every time by passing the prompt=select_account parameter to Google during each login, but SAML connections do not accept this parameter.

To suggest this functionality, please consider raising it here: Auth0: Secure access for everyone. But not just anyone.