Search code examples
powershellazure-active-directoryoffice365federationgoogle-sso

Federate Existing Azure Custom Domains to use Google SSO

We run our domains via Google. We have those domains verified in Azure for various purposes.

What I'd like to accomplish is to allow my user that use O365 to be able sign in with their Google Credentials. As I understand it, this is done through federation, SAML, and SSO. I've followed Google's instruction on setting this up and have hit a snag.

Using PowerShell's Set-MsolDomainAuthentication command I get an error every time I try to change the Authentication method from Managed to Federated. I can confirm that I can see the domains and their managed status via PowerShell commands, so I am at least connected to our Azure.

Set-MsolDomainAuthentication : Unable to complete this action. Try again later.

At line:1 char:1
+ Set-MsolDomainAuthentication
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Set-MsolDomainAuthentication], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InternalServiceException,Microsoft.Online.Adm
   inistration.Automation.SetDomainAuthentication

Azure logs show the attempt as

DirectoryManagement
Set domain authentication
Failure
Microsoft.Online.Workflows.ValidationException

Any help and direction is welcome. I've been searching high and low for solutions.

Side note: I have tried the convert command as well, with no luck.

Solution

  • Found a solution using this method rather than googles prescribed method. https://medium.com/@james.winegar/how-to-single-sign-on-sso-between-g-suite-and-office-365-with-g-suite-as-identity-provider-idp-5bf5031835a0

    IMPORTANT SIDE NOTE: For some reason or another, you cannot federate multiple domains with the same entityID in Azure. The workaround is to add spaces to the end of the entityID and Location URLs.

    In my instance, I edited the metadata.xml and added the space within the quotes. There are two Location URLs in the XML, make the same change in both of them.

    IE entityID="https://accounts.google.com/o/saml2?idpid=yourGoogleId "

    And Location="https://accounts.google.com/o/saml2/idp?idpid=yourGoogleId "

    Repeat this process for each additional domain from the same entityID. Keep in mind this is NOT a supported workaround, so use with caution.