Federate your User Accounts in Microsoft Azure AD to Google Cloud Identity (Part 2)

Configure Single Sign-On

In the Part 1 of Federating user accounts, we provisioned Users from Microsoft Azure AD to Google Cloud Identity by creating a new application using Google Cloud/G Suite Connector by Microsoft and then configuring it with the connection details, user assignment and verification. If not already read, I would recommend going through the same before we configure Single Sign-on for the provisioned users.

Cloud Identity and Google Workspace support Security Assertion Markup Language (SAML) 2.0 for Single Sign-on. When you use SSO for Cloud Identity or Google Workspace, your external IdP is the SAML IdP and Google is the SAML service provider. This helps to simplify the maintenance of credentials and policies at one place. Thus, once the users are provisioned, we will configure Single sign-on to enable them to authenticate themselves and sign in successfully.

A quick recap of our setup, we:

  • Use the domain demodata.info
2 Provisioned users — Chris Green and John Doe

Lets now begin configuring Single Sign-on for the provisioned user accounts between Cloud Identity and Azure AD

  1. Create a new Enterprise Application using Google Cloud/G Suite Connector by Microsoft to handle Single sign-on for the provisioned users.
Create a new Enterprise Application using Google Cloud/G Suite Connector by Microsoft

a. Select New Application and search for Google Cloud/G Suite Connector by Microsoft. Select the connector, Change the Name to differentiate with the application used for Provisioning and select Create

Select the Connector and provide an appropriate name to depict Single Sign-on

b. In the new application, select Properties under Manage, change as below and Save:

  • Enabled for Users Sign-in as Yes
Set the Properties for the Google Cloud/G Suite Connector by Microsoft application to enable users for Single Sign-on and Assignment as required

2. User Assignment — If the Assignment Required is configured as Yes in the Properties.

a. Select Users and groups under Manager and Add user/group

Add required user/group

b. Under users, select None selected Hyperlink to select the users required to be configured. Select the required users and select Assign

Select the users as required.

c. Once selected the User Assignment is completed as below:

User assignment screen after selection

3. Next step is to configure SAML (​​Security Assertion Markup Language) Settings in Azure AD — This will enable Cloud Identity to delegate authentication to Azure AD

a. In the Google Cloud/G Suite Connector by Microsoft application, select Single sign-on under Manage and select the SAML card

In Single Sign-on section, selected SAML

b. In the Attributes & Claims card, select Edit.

As we have provisioned the users using UPN in our example, we will configure the card as below:

  • Select Edit
Edit the Attributes & Claims card
Remove all the claims under the Additional Claims section
  • In case you have provisioned the users using UPN with domain substituted or with email address, you can configure it as specified in the document

c. Select Edit Basic SAML Configuration

Edit the SAML Configuration

d. Provide the below values for the parameters and save the changes:

Provide the primary domain name used in the provisioning for the PRIMARY_DOMAIN specified above. In our example, we will use demodata.info

https://www.google.com/a/demodata.info/ServiceLogin?continue=https://console.cloud.google.com/

Provide Identifier and Reply URL for SAML Configuration
Provide Sign on URL for SAML Configuration

e. In the SAML Certificate card, download the Certificate (Base64)

Download the Base64 SAML Certificate

f. Note the Login URL in the Set up Google Cloud / G Suite Connector by Microsoft (Single Sign On) card

Note the Login URL in the Set up Google Cloud / G Suite Connector by Microsoft (Single Sign On) card

4. We will now enable Single Sign-on in Google Cloud Identity or Google Cloud Workspace.

a. Login to Google Cloud Admin Console with Super admin user and select Show More -> Security -> Authentication -> SSO with Third Party IdP

Go to SSO with Third Party IdP in Google Cloud Identity to enable Single Sign-on

b. Select Add SSO Profile, provide the below details in the parameters in the Third Party SSO profile for your organisation and Save your changes:

Add SSO Profile with the specified parameters for your organisation

c. Disable the Single Sign-on for Automation OU (Organization Unit)

  • In the SSO with Third Party IdP section and in Manage SSO Profile Assignments, select Get Started.
In the SSO with Third Party IdP section, go to Manage SSO Profile Assignments
  • Select Automation OU in the Organization Units section as below
Select Automation OU in Organisation Units
  • Select None in SSO profile assignment instead of Organisation’s third-party SSO profile and select Override to save the changes
Select None in SSO profile assignment and Override to save changes

5. Validate that the users are able to Sign in Google Cloud using Single Sign-on

a. For the users provisioned and configured for Single Sign-on, request them to login to Google Cloud Console.

b. In our example the 2 users are chrisgreen@demodata.info and johndoe@demodata.info.

Chris Green log in to Google Cloud console

c. This will take us to the Microsoft login page with the Login URL specified

Redirecting to the Microsoft Login Page for authentication

d. Specify respective Azure AD credentials and it will successfully authenticate you:

Specify the respective Azure AD credentials for logging in

e. For the first time login, a Welcome screen will appear with Privacy Notice and Terms of Service.

Logging in Google Cloud console for the first time brings up a Welcome screen with Privacy Notice and Terms of Service

f. After reading them, select I understand, the user will be able to successfully login to Google Cloud Console

This completes our Federation of your User Accounts in Microsoft Azure AD to Google Cloud Identity which includes Provisioning Users (Part 1) and Configuring Single Sign on.

Set it up in your landscape and would be happy to know your implementation journey. Thanks for reading !!

--

--

A collection of technical articles and blogs published or curated by Google Cloud Developer Advocates. The views expressed are those of the authors and don't necessarily reflect those of Google.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store