Federate your User Accounts in Microsoft Azure AD to Google Cloud Identity (Part 2)
Configure Single Sign-On
In the Part 1 of Federating user accounts, we provisioned Users from Microsoft Azure AD to Google Cloud Identity by creating a new application using Google Cloud/G Suite Connector by Microsoft and then configuring it with the connection details, user assignment and verification. If not already read, I would recommend going through the same before we configure Single Sign-on for the provisioned users.
Cloud Identity and Google Workspace support Security Assertion Markup Language (SAML) 2.0 for Single Sign-on. When you use SSO for Cloud Identity or Google Workspace, your external IdP is the SAML IdP and Google is the SAML service provider. This helps to simplify the maintenance of credentials and policies at one place. Thus, once the users are provisioned, we will configure Single sign-on to enable them to authenticate themselves and sign in successfully.
A quick recap of our setup, we:
- Use the domain demodata.info
- Use a connector that provides user provisioning and single sign on configuration — Google Cloud / G Suite Connector by Microsoft
- Use azuread-provisioning user in Google Cloud Identity to connect with Azure AD
- Have provisioned 2 users from Azure AD — Chris and John
Lets now begin configuring Single Sign-on for the provisioned user accounts between Cloud Identity and Azure AD
- Create a new Enterprise Application using Google Cloud/G Suite Connector by Microsoft to handle Single sign-on for the provisioned users.
a. Select New Application and search for Google Cloud/G Suite Connector by Microsoft. Select the connector, Change the Name to differentiate with the application used for Provisioning and select Create
b. In the new application, select Properties under Manage, change as below and Save:
- Enabled for Users Sign-in as Yes
- Assignment Required as Yes — Set this to No, if all the users are required to be configured for Single sign-on
2. User Assignment — If the Assignment Required is configured as Yes in the Properties.
a. Select Users and groups under Manager and Add user/group
b. Under users, select None selected Hyperlink to select the users required to be configured. Select the required users and select Assign
c. Once selected the User Assignment is completed as below:
3. Next step is to configure SAML (Security Assertion Markup Language) Settings in Azure AD — This will enable Cloud Identity to delegate authentication to Azure AD
a. In the Google Cloud/G Suite Connector by Microsoft application, select Single sign-on under Manage and select the SAML card
b. In the Attributes & Claims card, select Edit.
As we have provisioned the users using UPN in our example, we will configure the card as below:
- Select Edit
- Remove all the claims under the Additional Claims section
- In case you have provisioned the users using UPN with domain substituted or with email address, you can configure it as specified in the document
- Once you have configured the settings, close the Attributes & Claims section
c. Select Edit Basic SAML Configuration
d. Provide the below values for the parameters and save the changes:
- Identifier (Entity ID): google.com
- Reply URL: https://www.google.com/
- Sign on URL: https://www.google.com/a/PRIMARY_DOMAIN/ServiceLogin?continue=https://console.cloud.google.com/
Provide the primary domain name used in the provisioning for the PRIMARY_DOMAIN specified above. In our example, we will use demodata.info
e. In the SAML Certificate card, download the Certificate (Base64)
f. Note the Login URL in the Set up Google Cloud / G Suite Connector by Microsoft (Single Sign On) card
4. We will now enable Single Sign-on in Google Cloud Identity or Google Cloud Workspace.
a. Login to Google Cloud Admin Console with Super admin user and select Show More -> Security -> Authentication -> SSO with Third Party IdP
b. Select Add SSO Profile, provide the below details in the parameters in the Third Party SSO profile for your organisation and Save your changes:
- Enable Set up SSO with third-party identity provider
- Sign-in page URL: Provide the Login URL from the Set up Google Cloud card in the Azure Portal — as specified in the section 3.f
- Sign-out page URL: Provide the below URL — https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
- In the Verification certificate, upload the certificate as downloaded in the section 3.e
- Change password URL: Provide the below URL — https://account.activedirectory.windowsazure.com/changepassword.aspx
c. Disable the Single Sign-on for Automation OU (Organization Unit)
- In the SSO with Third Party IdP section and in Manage SSO Profile Assignments, select Get Started.
- Select Automation OU in the Organization Units section as below
- Select None in SSO profile assignment instead of Organisation’s third-party SSO profile and select Override to save the changes
5. Validate that the users are able to Sign in Google Cloud using Single Sign-on
a. For the users provisioned and configured for Single Sign-on, request them to login to Google Cloud Console.
b. In our example the 2 users are email@example.com and firstname.lastname@example.org.
c. This will take us to the Microsoft login page with the Login URL specified
d. Specify respective Azure AD credentials and it will successfully authenticate you:
e. For the first time login, a Welcome screen will appear with Privacy Notice and Terms of Service.
f. After reading them, select I understand, the user will be able to successfully login to Google Cloud Console
This completes our Federation of your User Accounts in Microsoft Azure AD to Google Cloud Identity which includes Provisioning Users (Part 1) and Configuring Single Sign on.
Set it up in your landscape and would be happy to know your implementation journey. Thanks for reading !!