No, Azure AD and Google Workspace do not need to have the exact same primary domains for SSO to work. What's crucial is that the user identifiers (like email addresses) are consistent between the two services. Ensure your SAML configuration between Azure AD and Google Workspace is set up correctly.
Here are the high-level steps to set up SSO between Azure AD and Google Workspace:
- Azure AD Side:
- Azure Active Directory > Enterprise applications > New application.
- Select Non-gallery application
- Once the application is created, go to Single sign-on > SAML.
- To fill out the SAML configuration details, you'll need some information from Google Workspace.
- Once the application is created, go to Single sign-on > SAML.
- Select Non-gallery application
- Azure Active Directory > Enterprise applications > New application.
- Google Workspace Side:
- Go to the Google Admin console.
- Navigate to Security > Set up SSO.
- Check the boxes for Enable SSO for Google Workspace and Use a domain-specific issuer.
- Here you'll see the SSO URL and Entity ID, which you'll need for the Azure AD setup.
- Back to Azure AD:
- In the Azure portal, under the SAML configuration:
Identifier = Entity ID from Google. Reply URL = SSO URL from Google.
- Once you save these settings, Azure will provide a Login URL and a Logout URL, and you'll also get the Azure AD signing certificate.
- In the Azure portal, under the SAML configuration:
- Back to Google Workspace:
- In the Google Admin console, under the SSO setup:
Sign-in page URL = Login URL from Azure AD. Sign-out page URL = Logout URL from Azure AD. Upload the Azure AD signing certificate.
- In the Google Admin console, under the SSO setup:
- Back in Azure AD, under the Google Workspace application, ensure that the user attributes being sent in the SAML token match what Google Workspace expects. Typically, the primary email address is used as the NameID.