Error "access.api.error.failed_to_load_group (Code: 11020)" when adding G Suite groups to Access policy

I’m seeing error “access.api.error.failed_to_load_group (Code: 11020)” when adding G Suite groups to an Access policy. Is there a specification of what attributes a group must contain in order to be available to Access policies?

Just tried this myself and I had the same issue. I was able to fix it by enabling the APIs “Admin SDK” and “Groups Settings API” in Google Cloud Console.

Let me know if this works.

The “Admin SDK” API was already enabled on the project that owns the applicable Client ID, but “Groups Settings” was not. I enabled it, but am still receiving the same error. Is there a way to see the API calls that are being made (and their specific response codes)?

Also, the identity provider configuration guide doesn’t mention needing the “Groups Settings” API and doesn’t mention adding any related scopes for domain-wide delegation. Is the documentation out-of-date?

I didn’t need to add domain-wide delegation, although this was set as an “internal” app for my organization so that might change things.

Also, I might have been wrong about that being the fix. I don’t see any API requests to admin or group API.

My only other suggestion would be to click the IDP and run the setup again, doing the “test” where it ensures that the oauth flow is set up; that might cache the list of groups or something of the sorts.

I am having this exact problem right now. Did you ever solve it?

I am as well, and would love any kind of hints from here…

1 Like

This post was flagged by the community and is temporarily hidden.

This post was flagged by the community and is temporarily hidden.

@MoreHelp Please help here - ticket number: 2263788

This post was flagged by the community and is temporarily hidden.

Why am I getting flagged? @MoreHelp please see above.

I have same issue. I added policies with g-suite groups around June 2021, all worked.
Now if I open the same old policy, and try to save it without modifying it, I get this error
image
text: Error configuring your application: access.api.error.failed_to_load_group

{redacted}

We have observed a small handful of similar reports of this issue and see the customer was able to proceed with the following steps. Let us know if this helps:

  • Log in to your Google G-Suite account.
  • Change your application type to Public on the configure consent screen.
  • Recreate the IDP in the Cloudflare Dashboard and click continue to go to log in through Google.
  • Once you successfully log in to Google, switch the application type back to Internal.

Please let us know if this fixes the issue.

@cloonan thanks for the info. Support advised this a few days ago, but I had some questions about existing data and haven’t heard back for 3 days. Here’s what I asked.

Our app was already public before. Should it be internal only?

I tried switching it to internal, but that didn’t fix the issue. I was still able to use the Test button in the dashboard and log in to an existing site.

The most puzzling part here is that the Test button works, and you continue to authenticate our users, so the credentials and connection is definitely generally operational.

When you say recreate the IDP in Cloudflare, do you mean to delete it and then create it again? We have many production configs set up with the current IDP. Will deleting it cause a disruption by removing all of our current rules? If so that’s not a route we could take. Is there anything your team can do from your end if there would be disruption?

1 Like

I received an update from support confirming that there was an issue that has been fixed. We’re able to resave existing groups and add new configs with groups now. No action was required on our part.