Force Google Account Selection on every login using SAMLv2 IdP

nico.ayala · 28 Apr 2023, 14:36

Re: Force Google Account Selection on every login

We have an issue similar to the one linked above. In our case, we have configured Google IdP via SAMLv2.

When a user starts the sign-in flow, Google's AccountChooser pops up, the user selects one account and finishes the sign-in flow without issues. The second time the user signs in, the account chooser does not appear, so there is no way to select another account.

We use the idp_hint param to skip the FusionAuth sign-in page and go straight to Google's AccountChooser. We tried login_hint and prompt=select_account to the OAuth authorization URL without success.

Is there a way to force Google account selection via SAMLv2?

Any suggestions are welcome, thanks in advance!

dan · 5 May 2023, 14:12

@nico-ayala

Thanks for using FusionAuth!

I don't believe there's a way to pass prompt=select_account through the SAMLv2 process.

Since you are (I think) using Google as a SP, is there any reason you can't use the OIDC integration instead?

Dan

nico.ayala · 5 May 2023, 14:12

@dan I would need to explore what the requirements are to have an OIDC integration instead. This change might also require bothering customers with more configuration on their side.

Thanks for the help!

dan · 18 May 2023, 00:48

@nico-ayala Makes sense. We have some documentation here: https://fusionauth.io/docs/v1/tech/identity-providers/google#custom-parameters

Though that is for setting up an OIDC provider in FusionAuth, it might be somewhat helpful.