Home

Using Google as IDP for O365

%3CLINGO-SUB%20id%3D%22lingo-sub-140270%22%20slang%3D%22en-US%22%3EUsing%20Google%20as%20IDP%20for%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-140270%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20am%20attempting%20to%20utilize%20SSO%20into%20O365%20via%20our%20Google%20IDP%20and%20am%20running%20into%20some%20snags.%20When%20the%20user%20attempts%20to%20authenticate%2C%20they%20are%20properly%20redirected%20to%20the%20Google%20sign-in%20page%2C%20however%20after%20successful%20authentication%20the%20user%20is%20returned%20to%20the%20Microsoft%20O365%20sign-in%20page.%20I%20have%20had%20Google%20support%20confirm%20that%20they%20flow%20looks%20correct%20on%20their%20end.%20I'm%20having%20trouble%20seeing%20where%20the%20failure%20is%20on%20the%20Microsoft%20end.%20My%20suspicion%20is%20that%20it's%20bc%20our%20AD%20domain%20is%20corp.company.com%20rather%20than%20company.com%20as%20our%20email%20is.%20However%2C%20I%20did%20change%20the%20UPN%20from%20AzureAD%20to%20reflect%20the%20email%20attribute%20as%20the%20primary.%20(since%20that%20value%20is%20the%20same%20as%20the%20Google%20email%20address.%20Anyone%20have%20any%20insight%20into%20this%20configuration%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%20and%20have%20a%20happy%20new%20year.%3C%2FP%3E%0A%3CP%3E-Jon%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-140270%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-143169%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Google%20as%20IDP%20for%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-143169%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Pierre%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%20for%20helping%20clear%20this%20up.%20I'm%20still%20unsure%20of%20the%20difference%20and%20usage%20between%20userPrincipleName%20%26amp%3B%20sourceAnchor.%20Our%20IDP%20will%20be%20identifying%20the%20user%20via%20email%20address%20since%20Google%20is%20our%20email%20provider%20and%20knows%20each%20user's%20email%20address.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20not%20using%20samAccountName%20to%20identify%20users%20as%20our%20windows%20domain%20is%20corp.company.com%20rather%20than%20company.com%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20would%20you%20recommend%20the%20userPrincipleName%20%26amp%3B%20sourceAnchor%20values%20be%20set%20as%20in%20order%20to%20make%20this%20functional%20(I%20noticed%20in%20that%20article%20that%20'%40'%20may%20not%20be%20supported%20for%20sourceAnchor)%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%2C%3C%2FP%3E%0A%3CP%3EJon%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-143159%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Google%20as%20IDP%20for%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-143159%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20are%20some%20explanations%20there%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-design-concepts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-design-concepts%3C%2FA%3E%20tell%20us%20if%20that%20helps!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-143064%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Google%20as%20IDP%20for%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-143064%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Pierre%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%20for%20that%20insight!%20I%20am%20using%20AzureAD%20connect%20to%20synchronize%20these%20users%20from%20my%20on-premise%20AD%20so%20the%20ImmutableID%20is%20being%20set%20automatically.%20I%20took%20steps%20to%20consciously%20set%20the%20UPN%20to%20the%20email%20attribute%20so%20that%20there%20is%20a%20match%20there%20on%20the%20Google%20side.%20I%20think%20I%20incorrectly%20assumed%20this%20would%20take%20care%20of%20the%20ImmutableID%20as%20well.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20steps%20can%20I%20take%20in%20order%20to%20control%20the%20ImmutableID%20if%20I%20am%20using%20this%20sync%20method%20instead%20of%20creating%20users%20via%20PowerShell%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%2C%3C%2FP%3E%0A%3CP%3EJon%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142866%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Google%20as%20IDP%20for%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142866%22%20slang%3D%22en-US%22%3E%3CP%3EYour%20error%20message%20is%20on%20the%20frame%2090%3A%3C%2FP%3E%0A%3CPRE%3EAADSTS51004%3A%20To%20sign%20into%20this%20application%20the%20account%20must%20be%20added%20to%20the%20123abc89-abcd-1234-1234-abcdabcd%20directory.%0ATrace%20ID%3A%20d8f05825-16fa-4ea6-924b-63fdf34e0c00%0ACorrelation%20ID%3A%20a58ee092-b0ee-40f2-902f-4863b19d6240%0ATimestamp%3A%202018-01-08%2022%3A41%3A56Z%3C%2FPRE%3E%0A%3CP%3EYou%20don't%20have%20access%20with%20the%20account%20you%20specified%20in%20the%20NameID%3A%3C%2FP%3E%0A%3CPRE%3E%20%20%26lt%3Bsaml2%3ASubject%26gt%3B%0A%20%20%20%20%26lt%3Bsaml2%3ANameID%20Format%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Anameid-format%3Apersistent%22%26gt%3Bazure.test%40contoso.com%26lt%3B%2Fsaml2%3ANameID%26gt%3B%0A...%0A%20%20%26lt%3B%2Fsaml2%3ASubject%26gt%3B%3C%2FPRE%3E%0A%3CP%3EIt%20seems%20that%20the%20NameID%20should%26nbsp%3Bhave%20the%20immutable%20ID%20of%20the%20user%20you%20have%20provisionned%20in%20Azure%20AD.%20So%20what%20immutable%20ID%20did%20you%20use%20for%20the%26nbsp%3Brepresentation%20of%20that%20user%3F%20There%20is%20a%20bit%20more%20information%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-federation-saml-idp%20%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-federation-saml-idp%3C%2FA%3E%20%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142820%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Google%20as%20IDP%20for%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142820%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Pierre%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EI've%20attached%20my%20Fiddler%20capture.%20I%20removed%20any%20entry%20that%20mentioned%20my%20user%2Fdomain%2Fpassword.%20Hopefully%20you%20don't%20miss%20any%20of%20the%20interaction%20with%20this.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EI%20do%20not%20see%20an%20additional%20information%20page.%20When%20logging%20in%20from%20portal.office.com%20I%20am%20returned%20to%20the%20login%20page%20with%20no%20status%20update.%20When%20logging%20in%20from%20portal.azure.com%20I%20get%20the%20following%20message%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20289px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F26546i44BA1150E6128648%2Fimage-dimensions%2F289x371%3Fv%3D1.0%22%20width%3D%22289%22%20height%3D%22371%22%20alt%3D%22Screen%20Shot%202018-01-08%20at%205.38.24%20PM.png%22%20title%3D%22Screen%20Shot%202018-01-08%20at%205.38.24%20PM.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EBoth%20do%20not%20seem%20to%20show%20any%20additional%20information.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EBest%2C%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EJon%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142747%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Google%20as%20IDP%20for%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142747%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20how%20do%20you%20know%20it%20doesn't%20work%20if%20there%20is%20no%20error%20message%20%3B)%3C%2Fimg%3E%26nbsp%3BIf%20it%20fails%20at%20the%20Azure%20AD%20page%2C%20you%20should%20see%20a%20short%20message%20at%20the%20bottom%20in%20the%20%22Additional%20information%22%20section.%20Do%20you%20have%20anything%20there%3F%3C%2FP%3E%0A%3CP%3EMaybe%20a%20fiddler%20trace%26nbsp%3Bmight%20help...%20If%20you%20are%20willing%20to%20share%20one%2C%20ensure%20you%20remove%20sensitive%20information%20from%20it%20(like%20passwords%20or%20usernames).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142746%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Google%20as%20IDP%20for%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142746%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20your%20response.%20Unfortunately%20no%20error%20message%20is%20generated.%20Unless%20I%20should%20be%20looking%20somewhere%20else%20for%20failure%20messages.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%2C%3C%2FP%3E%0A%3CP%3EJon%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142744%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20Google%20as%20IDP%20for%20O365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142744%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20you%20have%20any%20error%20message%20to%20share%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Jon Mann
Occasional Contributor

Hi All,

 

I am attempting to utilize SSO into O365 via our Google IDP and am running into some snags. When the user attempts to authenticate, they are properly redirected to the Google sign-in page, however after successful authentication the user is returned to the Microsoft O365 sign-in page. I have had Google support confirm that they flow looks correct on their end. I'm having trouble seeing where the failure is on the Microsoft end. My suspicion is that it's bc our AD domain is corp.company.com rather than company.com as our email is. However, I did change the UPN from AzureAD to reflect the email attribute as the primary. (since that value is the same as the Google email address. Anyone have any insight into this configuration?

 

Thank you and have a happy new year.

-Jon

8 Replies

Do you have any error message to share?

Thank you for your response. Unfortunately no error message is generated. Unless I should be looking somewhere else for failure messages.

 

Best,

Jon

Well, how do you know it doesn't work if there is no error message ;) If it fails at the Azure AD page, you should see a short message at the bottom in the "Additional information" section. Do you have anything there?

Maybe a fiddler trace might help... If you are willing to share one, ensure you remove sensitive information from it (like passwords or usernames).

Hi Pierre,

 

I've attached my Fiddler capture. I removed any entry that mentioned my user/domain/password. Hopefully you don't miss any of the interaction with this. 

 

I do not see an additional information page. When logging in from portal.office.com I am returned to the login page with no status update. When logging in from portal.azure.com I get the following message:

Screen Shot 2018-01-08 at 5.38.24 PM.png

Both do not seem to show any additional information.

 

Best,

Jon

Your error message is on the frame 90:

AADSTS51004: To sign into this application the account must be added to the 123abc89-abcd-1234-1234-abcdabcd directory.
Trace ID: d8f05825-16fa-4ea6-924b-63fdf34e0c00
Correlation ID: a58ee092-b0ee-40f2-902f-4863b19d6240
Timestamp: 2018-01-08 22:41:56Z

You don't have access with the account you specified in the NameID:

  <saml2:Subject>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">azure.test@contoso.com</saml2:NameID>
...
  </saml2:Subject>

It seems that the NameID should have the immutable ID of the user you have provisionned in Azure AD. So what immutable ID did you use for the representation of that user? There is a bit more information here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federati...

Hi Pierre,

 

Thank you for that insight! I am using AzureAD connect to synchronize these users from my on-premise AD so the ImmutableID is being set automatically. I took steps to consciously set the UPN to the email attribute so that there is a match there on the Google side. I think I incorrectly assumed this would take care of the ImmutableID as well.

 

What steps can I take in order to control the ImmutableID if I am using this sync method instead of creating users via PowerShell?

 

Best,

Jon

Hi Pierre,

 

Thank you for helping clear this up. I'm still unsure of the difference and usage between userPrincipleName & sourceAnchor. Our IDP will be identifying the user via email address since Google is our email provider and knows each user's email address.

 

We are not using samAccountName to identify users as our windows domain is corp.company.com rather than company.com

 

What would you recommend the userPrincipleName & sourceAnchor values be set as in order to make this functional (I noticed in that article that '@' may not be supported for sourceAnchor)?

 

Best,

Jon

Related Conversations
Urgent - Teams and Yealink
reditguy in Microsoft Teams on
4 Replies
Restoring deleted "Files" folder
Daniel Carp in Microsoft Teams on
15 Replies
Quarantine Digest
Jerry Gonzalez in Microsoft 365 on
2 Replies