I am trying to provision users into Azure AD from Google Workspace, and let my users log into Azure Portal using their company google account. I have added my custom domain to Azure AD, and configured integration on Google side. However while provisioning is working, when a user tries to log into Azure, they need to enter a password instead of being redirected to google to use their workspace account.
Reading through the documentation, I have set TXT record to use the SSO url indicated by google as DirectFedAuthUrl attribute. I have verified via a different tool that indeed it is set to https://accounts.google.com/o/saml2/idp?idpid=xxxx. Now, what I try to set up SAML in Azure AD using my custom domain it returns an error that direct federation policy does not pass some requirements, and directs me to the documentation. What am I doing wrong?
How can I verify my custom domain so it works with Azure SAML?
• Please check whether the authentication URL entered for sending users to authenticate and receive a token from google matches that with the google’s target domain such that when the users try to access the application in azure, they are redirected correctly to google IdP.
• Also, please check if your added custom domain is verified in Azure AD and your domain is not managed through Azure AD because if this is the case then Azure blocks SAML/WS-Fed IdP federation for Azure AD verified domains in favor of native Azure AD managed domain capabilities.
• Ensure that your unique custom domain is registered with one tenant only in Azure AD as currently federation with multiple domains through the same tenant is not supported. Also, check whether the DNS TXT records that you have updated for the custom domain used in Azure AD while setting up federation is correctly setup, i.e., the TXT records should be updated for the domain that you have setup in google suite and if it is different than the custom domain used in Azure AD, please set the TXT records as below: -
' fabrikam.com. IN TXT DirectFedAuthUrl=https://fabrikamconglomerate.com/adfs '
In this case, ‘fabrikam.com’ is the registered domain name but the domain in the authentication URL does not match the registered domain name, so you will need to update the TXT records as above in your public DNS registry. Also, Microsoft has stated in its official documentation that there is a known issue with the above step and they are actively working on resolving it at the earliest as adding a DNS text record to the federating IdP’s domain won’t unblock authentication.
Please find the below link for more information: -
https://learn.microsoft.com/en-us/azure/active-directory/external-identities/direct-federation