Skip to content

IAmFrench/GSuite-as-identity-Provider-IdP-for-Office-365-or-Azure-Active-Directory

master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

GSuite-as-identity-Provider-IdP-for-Office-365-or-Azure-Active-Directory

Sync G Suite accounts with Azure active directory!

Google Admin requirements

Set up SAML app (choose Microsoft Office 365)

GSuite Admin SAML Apps Link

GSuite SAML Apps

Note:

ACS URL: https://login.microsoftonline.com/login.srf

Entity ID: urn:federation:MicrosoftOnline

GSuite Office 365 Settings

Configure Provisioning

Ensure that you are using an administrator Azure Active Directory account that is not already linked to your existing Google account.

GSuite Office 365 Provisioning settings Link

GSuite Office 365 settings

Azure Active Directory requirements (this is a pain in the a**)

Validate your domain on Azure: https://portal.azure.com/?l=en.en-us#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Domains

And DON'T set this domain as Primary:

Download the GoogleIDPMetadata-{your-domain}.xml file:

GoogleIDPMetadata-{your-domain}.xml sample file

Then install all required tools (powershell tools)

Required PowerShell tools https://www.microsoft.com/en-us/download/details.aspx?id=41950

And start a powershell console: Install-Module MSOnline Enter your MS credentials.

Import-Module MSOnline
$Msolcred = Get-credential
Connect-MsolService -Credential $MsolCred

Now edit my sample dfs-pf-samlp.xml file with your Google Ids:

  • GOOGLESAMLID and
  • copy paste your certificate (from GoogleIDPMetadata-{your-domain}.xml file)

Then import the config into powershell:

$wsfed = Import-Clixml dfs-pf-samlp.xml

And Set the domain as federated:

Set-MsolDomainAuthentication -DomainName "{your-domain}" -FederationBrandName $wsfed.FederationBrandName -Authentication Federated -PassiveLogOnUri $wsfed.PassiveLogOnUri -ActiveLogOnUri $wsfed.ActiveLogonUri -SigningCertificate $wsfed.SigningCertificate -IssuerUri $wsfed.IssuerUri -LogOffUri $wsfed.LogOffUri -PreferredAuthenticationProtocol "SAMLP"

And use this command to export your domain settings:

Get-MsolDomainFederationSettings -DomainName "{your-domain}" | Export-Clixml dfs-pf-samlp.xml

The command to view the config is:

Get-MsolDomainFederationSettings -DomainName "{your-domain}" | Format-List *

Next you have to assign a license to all your users and to set azure self service password reset to off:

https://portal.azure.com/?l=en.en-us#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/PasswordReset

Test the link with incognito mode or invite mode:

  1. From Office 365: https://www.office.com/
  2. From App launcher (Google App)

Google App launcher

Troubleshooting

  1. Delete the user from the Azure side.
  2. Wait a few hours for G Suite Auto Provisioning to work.