question

Name-5306 avatar image
0 Votes"
Name-5306 asked ·

Setup of G Suite IDP for SAML direct federation for B2B

We want to enable guest users for a particular domain to login with their G Suite accounts. We setup the direct federation, but invitations are not redeeming.

We can see when the user accepts the invitation, the user is passed to G Suite, authenticated, passed back to Azure, but then get's the message:

Invitation redemption failed
An error has occurred. Please retry again shortly.

It seems then the SAML response from G Suite to Azure is broken. Either the SAML response is malformed or Azure isn't processing the response correctly.

Any ideas?

azure-active-directory
· 2
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Name-5306 could you please share the correlation id and timestamp?

0 Votes 0 · ·
Name-5306 avatar image Name-5306 amanpreetsingh-msft ·

Correlation Id:28288f28-051b-4af4-8189-06c739031838
Timestamp:2020-03-13 02:34:38Z

0 Votes 0 · ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@Name-5306 I tried to fetch the details from our backend database based on the correlation ID and timestamp but I was not able to find any records.

If you're still having an issue here, please email AzCommunity[at]microsoft[dot]com and I can enable a one time free support ticket. Please provide your Azure Subscription GUID and a reference to this thread. And hopefully we can get you on the right path again soon.

In addition to that once you are able to resolve your issue with the support engineer, please post your response on this thread so that future readers will be able to benefit from your solution.

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We are about to try configuring Direct Federation between our sandbox Azure AD and G suite IdPs. Do you have any information on the issue posted here?

0 Votes 0 · ·

@RossPhil-2395 The problem was with Attribute mapping in GSuite IDP.

1 Vote 1 · ·
GV-9320 avatar image
0 Votes"
GV-9320 answered ·

@Name-5306 Did you solve your issue? If yes, how?

Thanks

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

gaurav2626-7407 avatar image
0 Votes"
gaurav2626-7407 answered ·

Hi. I've been trying to implement a similar configuration. Can you please help me with how the SAML app is to be setup at the g-suite end.

· 3 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@GV-9320 Can you also help me if you have figured a solution?

0 Votes 0 · ·
GV-9320 avatar image GV-9320 gaurav2626-7407 ·

Hi Guys,

I was able to configure federated login, but direct SSO from G Suite Apps is still broken: Azure support guys said it's a Google fault but I hadn't time to deep dive it with G Suite support team.
My G Suite SAML App config:

ACS URL: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/saml2
Entity ID: urn:federation:MicrosoftOnline
Attribute Mapping
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress -> Basic Information -> Primary Email

where XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX is your Tentant ID (you can find it from Overview dashboard).

0 Votes 0 · ·