403 error: app_not_configured_for_user | The following error scenarios might occur when you try out a SAML single sign-on (SSO) flow in identity provider (IdP) -initiated or service provider (SP)-initiated flows:
403 app_not_configured
This error can occur in these scenarios:
- In an SP-initiated flow, the application corresponding to the entity ID mentioned in the request has not been created in the Admin console.
- In an SP-initiated flow, the entity ID provided in the SAMLRequest does not match any of the entity IDs of the currently installed apps. If someone tampers with the application ID (SP ID) mentioned in the IdP-initiated URL, then you will see an
app_not_configurederror.
To resolve the 403 app_not_configured error:
- Ensure that the application corresponding to the entity ID mentioned in the request has been installed before you initiate the request.
- Ensure that the entity ID provided in the SAMLRequest is correct and matches with the one you specified during app creation.
- Ensure that the SP ID being passed in the request URL is the same as app-id app_not_enabled.
403 app_not_configured_for_user
To resolve the 403 app_not_configured_for_user error:
Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.
403 app_not_enabled_for_user
To resolve the 403 app_not_enabled_for_user error:
- Sign in to your Google Admin console.Sign in using your administrator account (does not end in @gmail.com).
- In the Admin console, go to Menu
Apps
Web and mobile apps.
- In the app list, locate the SAML app generating the error.
- Click the app to open its Settings page.
- Click User access.
- Turn the app ON for everyone or for the user’s organization.
