I have configured SAML authentication following the guidelines in:
Upon click on the button
[Login via SAML]
in the user signin dialogue, I am getting the error from Google (the client’s SAML side):
- That’s an error.
The server cannot process the request because it is malformed. It should not be retried. That’s all we know.
It looks like Google is rejecting the request from Anvil due to security policies? See logging:
HTTP/1.1 400
content-type: text/html; charset=utf-8
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
date: Wed, 30 Oct 2024 10:12:28 GMT
strict-transport-security: max-age=31536000; includeSubDomains
content-security-policy: script-src 'report-sample' 'nonce-GknHsVr-lEbVJJbjHv5jQg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/SamlOutboundLogonIdp/cspreport;worker-src 'self'
content-security-policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/SamlOutboundLogonIdp/cspreport/allowlist
content-security-policy: require-trusted-types-for 'script';report-uri /_/SamlOutboundLogonIdp/cspreport
content-security-policy-report-only: script-src 'unsafe-inline' 'unsafe-eval' blob: data:;report-uri /_/SamlOutboundLogonIdp/cspreport/fine-allowlist
cross-origin-opener-policy-report-only: same-origin; report-to="SamlOutboundLogonIdp"
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
permissions-policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
report-to: {"group":"SamlOutboundLogonIdp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/SamlOutboundLogonIdp"}]}
content-encoding: gzip
server: ESF
x-xss-protection: 0
x-content-type-options: nosniff
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Any clues what’s going wrong here? Is it the Anvile side or the client’s Google SAML side?