Hi Microsoft Support,
I'm currently trying to connect G Suite as an external Identity Provider for Azure AD. Ideally, I would like Azure to delegate to Google for Auth as well as user provisioning. This ticket mainly focuses on setting up Google as the external IdP. For the purposes of this ticket I'm going to use example.com as a replacement for our domain.
These are the steps I've taken:
Setup a new tenant on Azure AD (recommended by Microsoft support)
Create a "SAML app" in G Suite with the following configurations:
ACS URL: https://login.microsoftonline.com/login.srf
Entity ID: https://login.microsoftonline.com/login.srf/<tenant_id>;/Name ID format: PERSISTANT
Name ID: Basic Information > Primary emailMappings: None
Create an external IdP in Azure AD in the new tenant with the Metadata provided from G Suite and the domain name
example.com.
After setting everything up, I clicked on "Test SAML Login" on the Google SAML app page. I received the following error:
Request Id: 1232f39b-1292-4f08-8cca-82e7224e1800
Correlation Id: ea13b0f2-9f80-4bc6-8b4e-971a98c7a9a4
Timestamp: 2021-05-14T00:43:27Z
Message: AADSTS50107: The requested federation realm object 'https://accounts.google.com/o/saml2?idpid=<redacted>;' does not exist.
https://docs.microsoft.com/en-us/office365/troubleshoot/authentication/cant-sign-in-office-365-multiple-domain-federation
After talking with Microsoft Support, they suggested following this troubleshooting doc: https://docs.microsoft.com/en-us/office365/troubleshoot/authentication/cant-sign-in-office-365-multiple-domain-federation. In step 3, Connect-MsolService opens a login screen which says that the domain example.com does not exist. Hence, I'm unable to progress past that point in the doc.
So that leaves me with the following questions:
- Is the login not working because my example.com account only exists only in Azure?
- What is wrong about the current setup? Maybe there's a mapping that's missing from the G Suite app setup (though the docs didn't mention anything about that)?
- I'm seeing a lot of information about "Microsoft 365 Family" but I'm trying to set this up for a business. Is there a different type of account?
Thanks in advance!