Article #1: Azure Active Directory Federation with Google Workspace

Context

For one of my clients, i was requested to establish Azure Active Directory Federation with Google Workspace (formally called G-Suite). In this blog i will be going step by step on the configuration of Azure Active Directory federation with Google Workspace.

Google Workspace is a cloud platform similar to Azure that provides Saas applications like Google Drive, Google Photos, Gmail for emailing and also provides an identity provider that helps managing users, groups in Google Directory.

We consider a context of an organization that has deployed two cloud plateforms :

  • Google Workspace that use Google products like Gmail, Google Drive …
  • Azure that use various Saas applications such as Sharepoint Online and Dynamics 365 …

Organizations living a similar situation will have to deal with two identity providers : Azure Active Directory and Google Identity Management service.

Goals

In order to reduce the management effort and administration of two identity providers, identity federation is a solution that relays on standard protocoles such as SAML 2.0 or Open ID Connect.

In this blog we will discover how to achieve Azue Active Directory federation with Google Workspace by configuring :

  • Single Sign On : Allowing user to authenticate in Google applications using Office 365 accounts. For instance a user authenticated in Dynamics 365 will longer need to authenticates again in Gmail mailbox.
  • User provisionning : On demand or periodically create users in Google Directory when users are created in Azure AD.

Prerequisites

You need a Azure Active Directory that will be used as master fededator for Google Workspace and Global Administrator role access.

A Google Workspace subscription linked to a domain name with Organization Administrator role access.

Azure Active Directory Setup

Sign in to Azure Portal (https://portal.azure.com) using your Global Administrator credentials.

First you need to approve the custom domain used in Google Workspace. Consider yourdomain.com the domain used by your organization in Google Workspace platform.

In Azure Active Directory, navigate to Custom Domain names. Click on + Add customer domain.

Enter the domain name and click on Add domain.

You need to verify the domain before it can be used in Azure AD. The following screen provides information that you need to copy in order to create a DNS record in Google Workspace.

In Google Workspace, sign in with your organization administrator account and navigate to Manage Domain in the Home page.

Click on View details > Manage Domain

In the lateral menu, go to DNS and click on Manage Custom records.

Add the information provided in the verification step of the custom domain in Azure AD, click on Save.

Go back to Azure and click on Verify button of the custom domain.

The domain now is verified and can be used to create users in Azure AD with the same domain name as Google Workspace.

Now we will add an entreprise appliation that establish synchrnonization between the two directory Azure Active Directory and Google Directory.

In Azure Active Directory menu, navigate to Entreprise applications blade, click on + New application.

In the research bar type Google Cloud, select Google Cloud / G Suite connector by Microsoft and click on Create.

The application now should be displayed among the list of your entreprise application from Entreprise Application blade in Azure Active Directory page.

Browse to the Google Cloud / G suite connector by Microsoft application and navigate to the Single sign-on blade.

Select SAML option.

In the Basic SAML Configuration section, Click on edit and fill the configuration below.

Identify (Entity ID)google.com/a/<yourdomain.com>
Reply URL (Assertion Consumer Service Url)https://www.google.com/a/<yourdomain.com>/acs
Sign on URLhttps://www.google.com/a/<yourdomain.com>/ServiceLogin?continue=https://console.cloud.google.com
Relay State (Optional)<Leave empty>
Logout Url (Optional)https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

Where “yourdomain.com” is the domain linked to your Google Workspace Organization.

Leave the default values proposed by the connector application in the Attributes & Claims section.

In the SAML Signing Certificate section download and save the Certificate (Base64) in your local machine, we will use it later to uplaod it in the Google Workspace administration portal.

Copy the 3 fields in the Setup Google Cloud / G suite Suite Connector by Microsoft section.

Keep this browser tab open for the moment, we will get back to it later.

Google Worspace Setup

Open a new tab and navigate to the Google administration portal (https://admin.google.com) with your organization administrator credentials.

Navigate to the menu Security > Authentication > SSO with third party Idp

Click on edit and fill the previously copied fields Login URL, Azure AD Identifier and Logout URL. Uplaod the certificate previsouly downlaoded. Make sure you check Use a domain-specific issuer

In the Change password Url field, fill the following : https://account.activedirectory.windowsazure.com/changepassword.aspx.

Click on Save.

Well done! Your Google Workspace setup is completed.

Federation In Action !!

Back to Azure portal, go to the Users and groups blade in the Google Cloud / G Suite Connector by Microsoft Entreprise Application if you want to restreint the users synchronization to a specific pool of users. To do so navigate to the Users and groups blade and select the users you want to synchronize with Google Directory.

Next will be running the initial syncronization between from Azure AD to Google Directory. After completing of the synchronization, all users defined in the Users and Groups blade will be created automatically in the Google Workspace platform.

Click on Provisionning and Get Started.

You can choose to run a manual synchronization by selecting Manual in the provisionning mode.

You can also schedule the provisionning of the user. Currently the period of synchronization is set to 40 minutes. This interval is fixed and cannot be change yet for the moment.

Select Automatic in the provisioning mode, click on Authorize and enter the Google organization administrator credentials.

Click on test connection to confirm if the operation has successfully completed.

Click on Save, and go back to Google Cloud / G suite Connector By Microsoft in the Entreprise Application in Azure AD.

In the Provisioning blade, you can see the fixed priviosioning periode which is 40 minutes. Also notice that the complection is at 0%. Click on Start provisionning.

After a couple of seconds, the initial cycle will be 100% completed and users defined in the scope of synchroniaztion should be appearing in the Google Directory under users menu.

In addition, the connector offers the ability to run the synchronization on demande by clicking on Prevision on demand.

After you completed verifying that the users you defined in the scope of the synchronization are now existing on both Azure AD and Google Directory, you can now try to authenticate with a synchronized office 365 account in https://office.com in your browser and try to access a google application like https://gmail.com, you will be automatically authenticated to gmail and you wont be required to enter credentials.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s