Logout/timeout issues with G Suite SSO

aripringle
New Contributor II

We recently set up our JSS instance to use G Suite for Single Sign-On, following these instructions: https://www.jamf.com/jamf-nation/articles/440/configuring-single-sign-on-with-g-suite-google-apps

Everything is working well, except after a certain amount of time, the user starts getting SSO errors like this when attempting to log into JSS: "An error occurred while processing your Single Sign-On request. Contact your administrator for assistance."

When this happens, it appears that the only way to fix it is to log out of Google and back in, which is not the ideal user experience. It also prevents us from being able to use authentication in the Self Service app, since there's not an easy way to force a Google logout inside of it.

I haven't tested the exact timeframe, but I believe this occurs after the SAML Token Expiration (which is defined in the JSS as 480 minutes). I can increase this, but I'm not sure what the ideal setting is, or if increasing it would just postpone this issue.

I'm curious if anyone is successfully using G Suite SSO and not experiencing these timeout issues?

I've seen some similar discussions related to this (like https://stackoverflow.com/questions/40939839/google-apps-sso-as-idp-into-spring-saml2-authentication-token-timeout), but haven't found any real solutions.

5 REPLIES 5

aripringle
New Contributor II

Just wanted to share, after my initial post, we increased the SAML Token Expiration in Jamf Pro to 108,000 minutes (75 days), which seems to have resolved it (at least mostly).

We still seem to have the occasional user that tries to login to do User-Initiated Enrollment and ends up needing to log out of Google and back in (even if this is the first time they're logging into our Jamf instance, so I'm not 100% sure that it's related). But, I haven't seen it happen on my own account since making the change.

thomas-cedar
New Contributor II

We ran into this issue at our company as well. We ended up disabling SSO, because it was more trouble than it was worth.

crystallized
New Contributor III

I'm having this issue now as well, have found this thread and https://productforums.google.com/forum/#!topic/apps/Chg9VfFJZFM mentioning it but no solutions either. Extending token expiration to almost three months seems unreasonable. Has anyone found anything? I might put in a support ticket.

jamfusername
New Contributor

Confirmed issue with G Suite and Jamf. This is the only SaaS SSO setup I have with G Suite that has this issue.

Also, confirmed that extending the token timeout does have a direct impact on the symptoms I was seeing.

RolfZ
New Contributor II

We are also experiencing this Issue, I have opened a support case regarding this issue.
Is any one else seeing this error message in the JSS Logs when SSO fails:

2020-08-24 11:52:20,603 [WARN ] [ina-exec-37] [TokenAuthenticationFilter] - Illegal base64url character: '&' io.jsonwebtoken.io.DecodingException: Illegal base64url character: '&' at io.jsonwebtoken.io.Base64.ctoi(Base64.java:206) ....