SSO from Azure AD to G Suite

How to integrate G Suite with Azure Active Directory (Azure AD) is explained. By integrating Azure AD with G Suite, users in Azure AD can login without Authentication to G Suite. G Suite is included in Azure Gallery SaaS apps so that the integration configuration is described in "Microsoft Tutorial document".

By use of FIDO2 Password-less Login with ThinC-AUTH, users can login to Azure AD from either Windows 10 or Browsers. Office365 portal is also entered without additional login. In access panel of Office365, users just click icon of G Suit to enter into G Suit platform without further authentication. The figure below shows the flow of SSO, which requires login authentication once. Since FIDO2 login has highest security among others so that secure SSO algorithm such as SAML is requested to maintain the security level.

How to setup SSO Configuration

The followings are steps for both Azure AD and G Suite to set up SAML SSO setting to work SSO from Azure AD to G Suite.

  1. Azure AD SSO Configuration

  2. G Suite SSO Configuration

  3. Azure AD User ProvisioningAzure AD > Enterprise applications > G Suite > Manage > User and Groups > Add user

  4. G Suite User Provisioning Google Admin console > organization unit > Add new user

(1) Azure AD SSO Configuration

  1. Go to Azure AD > Enterprise Application > New Application and select G Suite from Gallery apps. and load G Suite site.
  2. Go to Azure AD > Enterprise Application > G Suite > Single Sign On, select "SAML" and fullfill the below.

① Basic SAML Configuration

Identifier (Entity ID) google.com/a/acot-e.com
Reply URL (Assertion Consumer Service URL) https://www.google.com
Sign out URL https://www.google.com/a/acot-e.com/Servicelogin?continue=https://console.cloud.google.com
Relay State Optional
Logout Url Optional

② User Attributes

givenname user.givenname
surname user.surname
emailaddress user.mail
name user.userprincipalname
acotmail user.mail
Unique User Identifier user.userprincipalname

③ SAML Signing Certificate

Status Active
Thumbprint B21FA3F09FB2BB875FA1E79EE3CD53721377932C
Expiration 9/29/2022 12:15:59 AM
Notification Email info@acot-e.com
App Federation Metadata Url https://login.microsoftonline.com/2934fee8-9…
Certificate (Base64) Download
Certificate (Raw) Download
Federation Metadata XML Download

④ Set up <Application Name>

Login URL https://login.microsoftonline.com/2934fee8-
Azure AD Identifier https://sts.windows.net/2934fee8-90e6-4e13-..
Logout URL https://login.microsoftonline.com/common/w…

(2) G Suite SSO Configuration

  1. Go to G Suite Admiin console > Security
  2. Select > Set up single sign on

G Suite Admin Console > Security > Set up Single Sign On

Set up SSO with third party identity provider

To setup the thrid party as your identity provider, please provide the following information below.

Sign in page URL https://login.microsoftonline.com/2934fee8-90e6-4e13-930d-2003cbaf0e4d/saml2
Sign out page URL https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
Change password URL https://account.activedirectory.windowsazure.com/changepassword.
Verification Certificate Authentication file uploaded. Replace certificate

Use a domain specific issuer

Network masks

reference

  1. "Tutorial: Azure Active Directory single sign-on (SSO) integration with G Suite", 

editor

View posts by editor
Editor, ACOT Electronics Inc. since Nov. 2017
Scroll to top