question

HKG-7714 avatar image
0 Votes"
HKG-7714 asked VishalPatel-0826 answered

Azure B2B External Identity using Google Workspace

Sorry for posting this question the 2nd time. I have spend quite a bit of time on this and are really hoping someone to help me with this.

I am setting up an External Identity Provider using Google Workspace on my Azure tenant. The intention is to be able to use the guest account (via invitation) managed from by Google Workspace to sign in to the Office 365 app.
I have read though the B2B Saml federation doc. from Microsoft along with other web references, however I am still unable to get it working. From the saml web\mobile app that I created under the Google workspace, whenever I click on the test saml login, I always got the error: AADSTS50107: The requested federation realm object 'https://accounts.google.com/o/saml2?idpid=xxxxxxxxx' does not exist. The account that is being used to login to Google Workspace has been added to Azure AD as guest.

Here is what I did with the setup.

In Azure
Created an External Identity SAML configuration using the following powershell command.
$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings
$federationSettings.PassiveLogOnUri ="https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx"
$federationSettings.ActiveLogOnUri = "https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx"
$federationSettings.LogOffUri = "https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx"
$federationSettings.IssuerUri = "https://accounts.google.com/o/saml2?idpid=xxxxxxxxx"
$federationSettings.SigningCertificate= "signing cert from Google"
$federationSettings.PreferredAuthenticationProtocol="Samlp"
$domainName = "mydomain.xyz"
New-AzureADExternalDomainFederation -ExternalDomainName $domainName -FederationSettings $federationSettings

In Google Workspace
Create an SAML web\mobile app using the Micorosft Office 365 template from their app store.
using the following settings for the app:
ACS URL: https://login.microsoftonline.com/login.srf (default)
Entity ID: urn:federation:MicrosoftOnline (default)
Enabled signed response
Name ID format: Persistent, Name ID: Basic Information > Primary email
SAML attribute mapping: Primary email > IDPEmail

I added the following txt record in the mydomain.xyz domain
mydomain.xyz  IN   TXT   DirectFedAuthUrl=https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx

Any help will be much appreciated.

Thank you.






azure-active-directoryazure-ad-saml-ssoazure-managed-identityazure-ad-b2b
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@HKG-7714
Thank you for your post and I apologize for such a delayed response!

  • Can you share any documentation that you're following so I can gain a better understanding of your issue?

  • From your error message, it looks like the user you're trying to login in with is already a Guest user within Azure AD. Have you tried removing the user from Azure and retrying the test?


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

1 Answer

VishalPatel-0826 avatar image
0 Votes"
VishalPatel-0826 answered

@HKG-7714 where you able to get past this error? I am stuck at the same error for Azure B2b collaboration with Google Workspace IDP

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.