@HK G where you able to get past this error? I am stuck at the same error for Azure B2b collaboration with Google Workspace IDP
Azure B2B External Identity using Google Workspace
Sorry for posting this question the 2nd time. I have spend quite a bit of time on this and are really hoping someone to help me with this.
I am setting up an External Identity Provider using Google Workspace on my Azure tenant. The intention is to be able to use the guest account (via invitation) managed from by Google Workspace to sign in to the Office 365 app.
I have read though the B2B Saml federation doc. from Microsoft along with other web references, however I am still unable to get it working. From the saml web\mobile app that I created under the Google workspace, whenever I click on the test saml login, I always got the error: AADSTS50107: The requested federation realm object 'https://accounts.google.com/o/saml2?idpid=xxxxxxxxx' does not exist. The account that is being used to login to Google Workspace has been added to Azure AD as guest.
Here is what I did with the setup.
In Azure
Created an External Identity SAML configuration using the following powershell command.
$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings
$federationSettings.PassiveLogOnUri ="https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx"
$federationSettings.ActiveLogOnUri = "https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx"
$federationSettings.LogOffUri = "https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx"
$federationSettings.IssuerUri = "https://accounts.google.com/o/saml2?idpid=xxxxxxxxx"
$federationSettings.SigningCertificate= "signing cert from Google"
$federationSettings.PreferredAuthenticationProtocol="Samlp"
$domainName = "mydomain.xyz"
New-AzureADExternalDomainFederation -ExternalDomainName $domainName -FederationSettings $federationSettings
In Google Workspace
Create an SAML web\mobile app using the Micorosft Office 365 template from their app store.
using the following settings for the app:
ACS URL: https://login.microsoftonline.com/login.srf (default)
Entity ID: urn:federation:MicrosoftOnline (default)
Enabled signed response
Name ID format: Persistent, Name ID: Basic Information > Primary email
SAML attribute mapping: Primary email > IDPEmail
I added the following txt record in the mydomain.xyz domain
mydomain.xyz IN TXT DirectFedAuthUrl=https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx
Any help will be much appreciated.
Thank you.