question

AndrewDorne-9950 avatar image
0 Votes"
AndrewDorne-9950 asked vipulsparsh-MSFT answered

Unable to have Azure AD delegate to Google SAML Auth as an IdP

Hi Microsoft Support,

I'm currently trying to connect G Suite as an external Identity Provider for Azure AD. Ideally, I would like Azure to delegate to Google for Auth as well as user provisioning. This ticket mainly focuses on setting up Google as the external IdP. For the purposes of this ticket I'm going to use example.com as a replacement for our domain.

These are the steps I've taken:

  1. Setup a new tenant on Azure AD (recommended by Microsoft support)

  2. Create a "SAML app" in G Suite with the following configurations:

    ACS URL: https://login.microsoftonline.com/login.srf
    Entity ID: https://login.microsoftonline.com/login.srf/<tenant_id>;/

    Name ID format: PERSISTANT
    Name ID: Basic Information > Primary email

    Mappings: None

  3. Create an external IdP in Azure AD in the new tenant with the Metadata provided from G Suite and the domain name example.com.

After setting everything up, I clicked on "Test SAML Login" on the Google SAML app page. I received the following error:

Request Id: 1232f39b-1292-4f08-8cca-82e7224e1800
Correlation Id: ea13b0f2-9f80-4bc6-8b4e-971a98c7a9a4
Timestamp: 2021-05-14T00:43:27Z
Message: AADSTS50107: The requested federation realm object 'https://accounts.google.com/o/saml2?idpid=<redacted>;' does not exist.
https://docs.microsoft.com/en-us/office365/troubleshoot/authentication/cant-sign-in-office-365-multiple-domain-federation

After talking with Microsoft Support, they suggested following this troubleshooting doc: https://docs.microsoft.com/en-us/office365/troubleshoot/authentication/cant-sign-in-office-365-multiple-domain-federation. In step 3, Connect-MsolService opens a login screen which says that the domain example.com does not exist. Hence, I'm unable to progress past that point in the doc.

So that leaves me with the following questions:
- Is the login not working because my example.com account only exists only in Azure?
- What is wrong about the current setup? Maybe there's a mapping that's missing from the G Suite app setup (though the docs didn't mention anything about that)?
- I'm seeing a lot of information about "Microsoft 365 Family" but I'm trying to set this up for a business. Is there a different type of account?

Thanks in advance!








azure-ad-saml-sso
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@AndrewDorne-9950 Thanks for reaching out. I think this url will help you with the process :
https://www.goldyarora.com/g-suite-to-office-365-sso/

Let me know if it fits your scenario.
I have answered a similar post previously, you can have a look at : https://docs.microsoft.com/en-us/answers/questions/389739/index.html


If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.