Forum Discussion

Jon Mann's avatar
Jon Mann
Copper Contributor
Dec 28, 2017

Using Google as IDP for O365

Hi All,   I am attempting to utilize SSO into O365 via our Google IDP and am running into some snags. When the user attempts to authenticate, they are properly redirected to the Google sign-in pa...
Authentication
Pié's avatar
Pié
Icon for Microsoft rankMicrosoft
Jan 09, 2018

Your error message is on the frame 90:

AADSTS51004: To sign into this application the account must be added to the 123abc89-abcd-1234-1234-abcdabcd directory.
Trace ID: d8f05825-16fa-4ea6-924b-63fdf34e0c00
Correlation ID: a58ee092-b0ee-40f2-902f-4863b19d6240
Timestamp: 2018-01-08 22:41:56Z

You don't have access with the account you specified in the NameID:

  <saml2:Subject>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">azure.test@contoso.com</saml2:NameID>
...
  </saml2:Subject>

It seems that the NameID should have the immutable ID of the user you have provisionned in Azure AD. So what immutable ID did you use for the representation of that user? There is a bit more information here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp

Jon Mann's avatar
Jon Mann
Copper Contributor
Jan 09, 2018

Hi Pierre,

 

Thank you for that insight! I am using AzureAD connect to synchronize these users from my on-premise AD so the ImmutableID is being set automatically. I took steps to consciously set the UPN to the email attribute so that there is a match there on the Google side. I think I incorrectly assumed this would take care of the ImmutableID as well.

 

What steps can I take in order to control the ImmutableID if I am using this sync method instead of creating users via PowerShell?

 

Best,

Jon

    • Jon Mann's avatar
      Jon Mann
      Copper Contributor
      Jan 09, 2018

      Hi Pierre,

       

      Thank you for helping clear this up. I'm still unsure of the difference and usage between userPrincipleName & sourceAnchor. Our IDP will be identifying the user via email address since Google is our email provider and knows each user's email address.

       

      We are not using samAccountName to identify users as our windows domain is corp.company.com rather than company.com

       

      What would you recommend the userPrincipleName & sourceAnchor values be set as in order to make this functional (I noticed in that article that '@' may not be supported for sourceAnchor)?

       

      Best,

      Jon

Resources