Using Azure AD as Your Identity Provider for GSuite

LET'S CHANGE IDENTITY PROVIDERS

When using an on premise active directory with user and password sync to GSuite, remediation actions from our platform are overwritten whenever a sync occurs.  If you have Microsoft Azure Active directory with at least a P1 license level, it is possible to replace your on premise active directory with Azure AD and take remediation actions on user accounts that will not be overwritten.  This guide will walk through the process of configuring both GSuite and Azure AD to make this possible.

Note:

This is a drastic change in the authentication configuration for your domain and should not be done without trials in a test environment.  Please reach out to us at support@managedmethods.com to discuss the pros, cons, and requirements of making this change.

Step 1

Navigate to https://portal.azure.com/ and sign in using a global administrator account.  Once logged in, open the sidebar and click "Azure Active Directory"

Step 2

If the domain name used in your GSuite environment is not already added to the Active Directory "Custom domain names" you will need to add and verify it.

Step 3

On the sidebar, click "Enterprise applications"

Next, click "New Application"

Now, in the "Add from the gallery" section, locate the "Google Cloud / G Suite Connector by Microsoft" application and click it.  On the sidebar that appears, click "Add".

Step 4

Once the connector is added successfully you should be re-directed to the configuration page.  If not, you can navigate to it from the main azure portal using the sidebar links "Azure Active Directory" > "Enterprise applications" then searching for and clicking on the "Google Cloud / G Suite Connector by Microsoft" application.  Once on the configuration page for the connector, click on "Set up single sign on".

Next, select SAML as the single sign-on method.

Start the configuration by clicking the edit pen in the "Basic SAML Configuration" box.

Fill out the first three fields using the example below, replacing yourdomain.com with the custom domain used in your GSuite environment.  Once entered, click "Save".

Identifier (Entity ID): 

google.com/a/yourdomain.com

Reply URL (Assertion Consumer Service URL):

https://www.google.com/a/yourdomain.com/acs

Sign on URL:

https://www.google.com/a/yourdomain.com/ServiceLogin?continue=https://mail.google.com 

Step 5

Continue the configuration by clicking the edit pen in the "User Attributes & Claims" box.

Click on "Unique User Identifier (Name ID)"

GSuite expects this claim to be mapped with the user's email address.  By default the name identifier format should be set to "Email address" which should work for most cases.  Alternatively, the source attribute of the claim can be changed to user.mail to ensure the mapping is to the email address.

Step 6

In the "SAML Signing Certificate" box, click the Download link next to "Certificate (Base64)

Step 7

Leave this page open as you will need the URLs listed in the "Set up Google Cloud / G Suite Connector by Microsoft" box for the next steps.

Step 8

In a new tab or window, navigate to your GSuite admin portal https://admin.google.com/ and click on "Security"

Scroll down to and select the "Set up single sign-on (SSO) with a third party IdP.

Using the downloaded certificate file from step 6 and the information from Azure AD in the "Set up Google Cloud / G Suite Connector by Microsoft" box, fill out the highlighted fields and checkboxes below.

Finally, click the "Save" button on the bottom right of the page.

Step 9

Now that everything is configured, you'll need to add your users from Azure AD into the "Users and groups" section of the "Google Cloud / G Suite Connector by Microsoft" to enable SSO.

Note:

These users (in Azure AD) must have the exact same email addresses as your GSuite users for this setup to work.  

Step 10 

You can now test your configuration by attempting to log in to google with an account you've added in step 9.

If configured correctly, you should be re-directed to the Microsoft Sign in page.

If successful you'll now be logged in to google.

Next Steps

Once this configuration is complete and tested, the last step is to reach out to us at support@managedmethods.com to help authorize your Microsoft tenant with our platform.  This is needed to monitor login events and take action on user accounts.