Google SSO cannot be activated - "Single Sign-On fehlgeschlagen. Benutzername stimmt nicht überein."

I cannot activate Google SSO in passbolt because I get the error “Single Sign-On fehlgeschlagen. Benutzername stimmt nicht überein.” if I test the integration after saving the client id and secret - which may be because I use another mail address for my google account then for my passbolt login. Is there any possibility to let passbolt know my google mail address to make this work?

Hello @anli !

No there’s no option (that I know) to make a matching between a google email and a Passbolt username with Google.
For security reasons both needs to match (it avoids impersonating account for instance).

But what you might do if you are 100% sure of your configuration (it should be the case IMO as the error comes from Passbolt after a successful authentication) and that you have an access to the database, it’s to change a value in it, to activate the settings.
I don’t have my computer with me right now, so I can only do by memory. There is a table in your DB called sso_settings and in it a column called status that have only the following values possible draft or active. So you might identify which settings you want to pass from draft to active by changing the status.

Here are queries you might try:
To ensure there are no active configuration

SELECT COUNT(*) FROM sso_settings WHERE status = 'active';

It should return 0 otherwise you already have something active.

To get the last sso_settings that should be draft

SELECT id, status FROM sso_settings ORDER BY created_at DESC LIMIT 1;

This way you’ll get an id of the settings you want to change. Check first if the status is draft and not active

Then to activate it

UPDATE sso_settings SET status='active' WHERE id='<put the id here from latest query>';

(Keep the ' around the id of the settings)

With the update query, the configuration should be active. However, keep in mind it doesn’t solve the username problem you encounter and it might happens for other users you have.

1 Like

Hello @Steph ,
thanks a lot for posting this procedure, I’ll give it a try. In the 4.1 release notes at Passbolt Help | War Pig I found “SSO integrations now support username/email remapping” which sounds like what I need. I installed the version but I didn’t find an option for configuring the remapping - neither per user nor in the server settings. Isn’t this what I’m looking for?

Hey @anli,
The username/email mapping option is only available for Azure SSO.