Troubleshooting: Single Sign-on with Google Workspace and Error Message

Are you getting an error message similar to this when trying to login to your account after setting up your single sign-on with Google Workspace?


This error you are getting completely on Google's side. eSPACE has no control of what is going on over there.  The diagram below will be helpful, as it shows the SAML SSO user flow from the eSPACE log-in page. 



The left side is eSPACE, the right side is Google.  Notice the light-blue box that says "eSPACE looks up user via email addy"?  When eSPACE does this, we are looking for your Single Sign On Service URL and then we forward your browser there.  We don't event send an email address or anything...we just forward your browser there.  Google then "catches" you and looks to see if you have an active Google session.  If it does, it will use that session to then see if you're authorized to use the app, and if so, it forwards you back to eSPACE with a special token that tells eSPACE who you are.

The problem you may be having is that in that first purple box "IdP recognizes user?", Google thinks you are someone that is NOT authorized to access eSPACE.  eSPACE doesn't have any influence over Google in telling them who you are (otherwise SSO would have a huge security hole).  So, unfortunately, there is nothing that we can do on the eSPACE side to convince Google that you are who you say you are.

By the way, if the SSO works for you with Incognito, it is because there are no session cookies, so Google sees nothing in your session history to tell it you might be someone else.  That's why it prompts you to log in to your Google account (if it doesn't prompt you, then your incognito session isn't truly "clean").  And the "waffle" icon in Google...well, you are attempt to launch the app from right within Google, so it knows exactly who you are when you click to launch eSPACE.

One thing you could try is destroying your Google.com cookies in your browser.  There might be some session cookies that is tripping up Google trying to identify you.  Also, you could try browsing directly to the Google SSO URL and see what happens.  I expect  it will do just like clicking to Sign in with SSO and entering your email address.