Does Azure AD SSO domain require same Google domain to work

john Mangondo 0 Reputation points
2023-09-24T20:58:58.66+00:00

Have Microsoft Azure account and Google account on 2 different domains while configuring SSO using Azure SAML toolkit. Just been informed by Google support technician that ‘Microsoft Office 365 and Google Workspace is not communicating because the domain in use on Azure account (mjconsult.uk) is not the same for Google account (mjcons.co.uk) and that is the reason why both service is not communicating’. Is that correct?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,688 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sedat SALMAN 13,825 Reputation points
    2023-09-25T02:01:45.9933333+00:00

    No, Azure AD and Google Workspace do not need to have the exact same primary domains for SSO to work. What's crucial is that the user identifiers (like email addresses) are consistent between the two services. Ensure your SAML configuration between Azure AD and Google Workspace is set up correctly.

    Here are the high-level steps to set up SSO between Azure AD and Google Workspace:

    1. Azure AD Side:
      • Azure Active Directory > Enterprise applications > New application.
        • Select Non-gallery application
          • Once the application is created, go to Single sign-on > SAML.
            • To fill out the SAML configuration details, you'll need some information from Google Workspace.
    2. Google Workspace Side:
    • Go to the Google Admin console.
      • Navigate to Security > Set up SSO.
      • Check the boxes for Enable SSO for Google Workspace and Use a domain-specific issuer.
      • Here you'll see the SSO URL and Entity ID, which you'll need for the Azure AD setup.
    1. Back to Azure AD:
      1. In the Azure portal, under the SAML configuration:
              Identifier = Entity ID from Google.
              Reply URL = SSO URL from Google.
        
          - Once you save these settings, Azure will provide a Login URL and a Logout URL, and you'll also get the Azure AD signing certificate.
        
    2. Back to Google Workspace:
      • In the Google Admin console, under the SSO setup:
              Sign-in page URL = Login URL from Azure AD.
              Sign-out page URL = Logout URL from Azure AD.
              Upload the Azure AD signing certificate.
        
      User Attribute Mapping:
    • Back in Azure AD, under the Google Workspace application, ensure that the user attributes being sent in the SAML token match what Google Workspace expects. Typically, the primary email address is used as the NameID.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.