Issue with Google Workspace SSO Using SAML with Only One Active Session

Problem statement

With a Google Workspace as the SAML IdP, and an active Google session that is not part of the SAML connection, it returns the error Application is not setup for the user instead of allowing the user to login to a different user.

Steps to reproduce

  1. The user has one active session on Google, as e.g. john.doe@somedomain.com
  2. The user logs in example platform as foobar@example.com
  3. Auth0 sees that @example.com domain corresponds to the Google Workspace SAML connection so it redirects to the Google IdP
  4. Google uses the active session to log the user in, but john.doe@somedomain.com isn’t part of the @example Workspace, so it returns the Application is not setup for the user" error.
  5. The user needs either to logout from john.doe@somedomain.com or login a new session as foobar@example.com (in Google).
  6. If the user has one (and only one) open session, Google doesn’t prompt the user for which session to use (either the active one or a new one)

Cause

SAML IdPs do not support upstream parameters. See Pass Parameters to Identity Providers for more details.

Solution

Unfortunately, there is no solution. Usually, the app can prompt the user to select their account every time by passing the prompt=select_account parameter to Google during each login, but SAML connections do not accept this parameter.

To suggest this functionality, please consider raising it here: Auth0: Secure access for everyone. But not just anyone.