├── dfs-pf-samlp.xml └── README.md /dfs-pf-samlp.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IAmFrench/GSuite-as-identity-Provider-IdP-for-Office-365-or-Azure-Active-Directory/HEAD/dfs-pf-samlp.xml -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # GSuite-as-identity-Provider-IdP-for-Office-365-or-Azure-Active-Directory 2 | _Sync G Suite accounts with Azure active directory!_ 3 | 4 | ## Google Admin requirements 5 | ### Set up SAML app (choose Microsoft Office 365) 6 | 7 | > [GSuite Admin SAML Apps Link](https://admin.google.com/AdminHome?fral=1#AppsList:serviceType=SAML_APPS) 8 | 9 | ![GSuite SAML Apps](https://i.imgur.com/qSIrLyN.png) 10 | 11 | Note: 12 | 13 | ACS URL: `https://login.microsoftonline.com/login.srf` 14 | 15 | Entity ID: `urn:federation:MicrosoftOnline` 16 | 17 | 18 | ![GSuite Office 365 Settings](https://i.imgur.com/0yEnR5m.png) 19 | 20 | ### Configure Provisioning 21 | 22 | _Ensure that you are using an administrator Azure Active Directory account that is not already linked to your existing Google account._ 23 | 24 | > [GSuite Office 365 Provisioning settings Link](https://admin.google.com/AdminHome?fral=1#AppDetails:service=935556381546&flyout=provisioningSetupV2) 25 | 26 | ![GSuite Office 365 settings](https://i.imgur.com/giY8PmH.png) 27 | 28 | 29 | 30 | ## Azure Active Directory requirements (this is a pain in the a**) 31 | Validate your domain on Azure: 32 | https://portal.azure.com/?l=en.en-us#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Domains 33 | 34 | And DON'T set this domain as Primary: 35 | 36 | ![](https://i.imgur.com/GhEaTXo.png) 37 | 38 | 39 | Download the `GoogleIDPMetadata-{your-domain}.xml` file: 40 | 41 | ![GoogleIDPMetadata-{your-domain}.xml sample file](https://i.imgur.com/rNvQshH.png) 42 | 43 | Then install all required tools (powershell tools) 44 | 45 | ![Required PowerShell tools](https://i.imgur.com/sSkF2vZ.png) 46 | https://www.microsoft.com/en-us/download/details.aspx?id=41950 47 | 48 | And start a powershell console: 49 | `Install-Module MSOnline` 50 | Enter your MS credentials. 51 | 52 | ``` 53 | Import-Module MSOnline 54 | $Msolcred = Get-credential 55 | Connect-MsolService -Credential $MsolCred 56 | ``` 57 | 58 | Now edit my sample `dfs-pf-samlp.xml` file with your Google Ids: 59 | 60 | - `GOOGLESAMLID` and 61 | - copy paste your certificate (from `GoogleIDPMetadata-{your-domain}.xml` file) 62 | 63 | Then import the config into powershell: 64 | ``` 65 | $wsfed = Import-Clixml dfs-pf-samlp.xml 66 | ``` 67 | 68 | And Set the domain as federated: 69 | ``` 70 | Set-MsolDomainAuthentication -DomainName "{your-domain}" -FederationBrandName $wsfed.FederationBrandName -Authentication Federated -PassiveLogOnUri $wsfed.PassiveLogOnUri -ActiveLogOnUri $wsfed.ActiveLogonUri -SigningCertificate $wsfed.SigningCertificate -IssuerUri $wsfed.IssuerUri -LogOffUri $wsfed.LogOffUri -PreferredAuthenticationProtocol "SAMLP" 71 | ``` 72 | 73 | And use this command to export your domain settings: 74 | ``` 75 | Get-MsolDomainFederationSettings -DomainName "{your-domain}" | Export-Clixml dfs-pf-samlp.xml 76 | ``` 77 | 78 | The command to view the config is: 79 | ``` 80 | Get-MsolDomainFederationSettings -DomainName "{your-domain}" | Format-List * 81 | ``` 82 | 83 | Next you have to assign a license to all your users and to set azure self service password reset to off: 84 | 85 | https://portal.azure.com/?l=en.en-us#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/PasswordReset 86 | 87 | Test the link with incognito mode or invite mode: 88 | 1. From Office 365: https://www.office.com/ 89 | 2. From App launcher (Google App) 90 | 91 | ![Google App launcher](https://i.imgur.com/UfVOBQ9.png) 92 | 93 | ## Troubleshooting 94 | 95 | 1. Delete the user from the Azure side. 96 | 1. Wait a few hours for G Suite Auto Provisioning to work. 97 | --------------------------------------------------------------------------------