How to configure Google Workspace SAML?

My version of HedgeDoc is: 1.9

I’m trying to setup Hedgedoc so that I can login using my Google Workspace (G Suite) account. What i did so far:

On Google’s side:

• Set ACS URL to https://domain.com/auth/saml/callback
• Set Entity Id to https://domain.com/auth/saml/metadata
• Start URL left empty
• Signed response not checked
• Set a certificate
• Set Name ID format to UNSPECIFIED
• Set Name ID to Basic Information > Primary email

and set the Service status to “ON for everyone”

On Hedgedocs I set the following variables:

  - CMD_SAML_IDENTIFIERFORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  - CMD_SAML_IDPSSOURL=https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX
  - CMD_SAML_IDPCERT=/data/certificate.pem
  - CMD_SAML_ISSUER=Hedgedoc

  - CMD_SAML_ATTRIBUTE_USERNAME=E-ID
  - CMD_SAML_ATTRIBUTE_EMAIL=email

With these settings I can login if I click “TEST SAML LOGIN” in the Google admin console. However if I go to my Hedgedoc instance, click on login → login using SAML → log into Google, I get

403. That’s an error.

Error: app_not_configured_for_user

Service is not configured for this user.

What did I set wrong?

Hi @maeries and welcome to the HedgeDoc community!

I’m not sure whether it’s applicable to your use case, but maybe it’s easier to use our login with Google option instead of figuring manually with SAML options.
See the config options for this over here: https://docs.hedgedoc.org/configuration/#google-login

Greetings, Erik

That would be a possibility, too, but from what I read, SAML would be the appropriate solution here. Even though I don’t really understand why, to be honest.