This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 60%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHG%3C/text%3E%3C/svg%3E)
Sorry for posting this question the 2nd time. I have spend quite a bit of time on this and are really hoping someone to help me with this.
I am setting up an External Identity Provider using Google Workspace on my Azure tenant. The intention is to be able to use the guest account (via invitation) managed from by Google Workspace to sign in to the Office 365 app.
I have read though the B2B Saml federation doc. from Microsoft along with other web references, however I am still unable to get it working. From the saml web\mobile app that I created under the Google workspace, whenever I click on the test saml login, I always got the error: AADSTS50107: The requested federation realm object 'https://accounts.google.com/o/saml2?idpid=xxxxxxxxx' does not exist. The account that is being used to login to Google Workspace has been added to Azure AD as guest.
Here is what I did with the setup.
In Azure
Created an External Identity SAML configuration using the following powershell command.
$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings
$federationSettings.PassiveLogOnUri ="https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx"
$federationSettings.ActiveLogOnUri = "https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx"
$federationSettings.LogOffUri = "https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx"
$federationSettings.IssuerUri = "https://accounts.google.com/o/saml2?idpid=xxxxxxxxx"
$federationSettings.SigningCertificate= "signing cert from Google"
$federationSettings.PreferredAuthenticationProtocol="Samlp"
$domainName = "mydomain.xyz"
New-AzureADExternalDomainFederation -ExternalDomainName $domainName -FederationSettings $federationSettings
In Google Workspace
Create an SAML web\mobile app using the Micorosft Office 365 template from their app store.
using the following settings for the app:
ACS URL: https://login.microsoftonline.com/login.srf (default)
Entity ID: urn:federation:MicrosoftOnline (default)
Enabled signed response
Name ID format: Persistent, Name ID: Basic Information > Primary email
SAML attribute mapping: Primary email > IDPEmail
I added the following txt record in the mydomain.xyz domain
mydomain.xyz IN TXT DirectFedAuthUrl=https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx
Any help will be much appreciated.
Thank you.
@HK G
Thank you for your post and I apologize for such a delayed response!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 64%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVP%3C/text%3E%3C/svg%3E)
@HK G where you able to get past this error? I am stuck at the same error for Azure B2b collaboration with Google Workspace IDP