Trouble setting up Google Workspace SAML as an IdP for authentication

Question

Trouble setting up Google Workspace SAML as an IdP for authentication

Jason Williams 30

We currently use Google workspace and all SSO authentication. We need to configure SAML with Google instead of the Built-in Google auth so we can pass groups for RBAC.

I did setup a custom SAML provider under External Identities - Custom. This created fine, but I have something setup wrong. I am a bit unsure of what my ACS and Entity ID on the google side should be. I have found conflicting documentation and none of them seem to work. Here are a few of the attempts we have made:

ACS URL: https://login.microsoftonline.com/<tenantID>/saml2 Entity ID: https://sts.windows.net/<tenantID>/

ACS URL: https://<tenantID>.ciamlogin.com/login.srf Entity ID: https://login.microsoftonline.com/<tenant ID>/

ACS URL: https://login.microsoftonline.com/login.srf Entity ID: https://login.microsoftonline.com/<tenant ID>/

Are any of these close?

I may have something wrong on the Microsoft side too, but unsure until I know I have the google IdP side correct.

In Azure -> Microsoft Entra ID -> External Identities -> All Identity providers -> Custom I have setup Name: Google Identity Provider protocol: SAML Issuer URI: https://accounts.google.com/o/saml2?idpid=<IdP ID> Passive authentication endpoint: https://accounts.google.com/o/saml2/idp?idpid=<IdP ID> Certificate: <our IdP certificate>

Surya Prakash Kotte 3,200 Reputation points Microsoft External Staff Moderator

2025-05-20T05:07:05.3466667+00:00

Hello @Jason Williams

Did you get a chance to see my previous comment? Please feel free to reach out if you have any further questions.
Jason Williams 30 Reputation points

2025-05-20T15:56:40.79+00:00

Thank you for the replies.

We have updated the settings in google as indicated, but this is still not working. When I try to login, I get this error when I initiate the login from google:
AADSTS90121: Invalid empty request.

If I try to login from portal.azure.com I am not directed to google for my login with my domain rainfocus.com

I have confirmed the azure entra id is setup as indicated.

One issue I see is we have our domain rainfocus.com. It is listed as verified, but shows federated is not enabled. I don't see how to enable this. When I setup the custom SAML identity provider, I am not able to use rainfocus.com as the Domain name of federating IdP. I get an error that the domain is already confirmed in entra id.
Surya Prakash Kotte 3,200 Reputation points Microsoft External Staff Moderator

2025-05-20T16:25:21.93+00:00

Hello @Jason Williams

I would like to check this up offline with you to understand the scenario better. Please share your contact details over private message and your availability for a call.
Jason Williams 30 Reputation points

2025-05-20T17:32:58.59+00:00

Thanks - I'm new to Azure, so I'm not sure how to share my contact info with you privately.
Surya Prakash Kotte 3,200 Reputation points Microsoft External Staff Moderator

2025-05-20T17:49:38.08+00:00

Hello @Jason Williams

On top of the thread, you can see the private message option.

Accepted answer

1 additional answer

Your answer

Surya Prakash Kotte 3,200 Reputation points Microsoft External Staff Moderator

2025-05-20T05:07:05.3466667+00:00

Hello @Jason Williams

Did you get a chance to see my previous comment? Please feel free to reach out if you have any further questions.
Jason Williams 30 Reputation points

2025-05-20T15:56:40.79+00:00

Thank you for the replies.

We have updated the settings in google as indicated, but this is still not working. When I try to login, I get this error when I initiate the login from google:
AADSTS90121: Invalid empty request.

If I try to login from portal.azure.com I am not directed to google for my login with my domain rainfocus.com

I have confirmed the azure entra id is setup as indicated.

One issue I see is we have our domain rainfocus.com. It is listed as verified, but shows federated is not enabled. I don't see how to enable this. When I setup the custom SAML identity provider, I am not able to use rainfocus.com as the Domain name of federating IdP. I get an error that the domain is already confirmed in entra id.
Surya Prakash Kotte 3,200 Reputation points Microsoft External Staff Moderator

2025-05-20T16:25:21.93+00:00

Hello @Jason Williams

I would like to check this up offline with you to understand the scenario better. Please share your contact details over private message and your availability for a call.
Jason Williams 30 Reputation points

2025-05-20T17:32:58.59+00:00

Thanks - I'm new to Azure, so I'm not sure how to share my contact info with you privately.
Surya Prakash Kotte 3,200 Reputation points Microsoft External Staff Moderator

2025-05-20T17:49:38.08+00:00

Hello @Jason Williams

On top of the thread, you can see the private message option.

Answer 1

Bob 240 Independent Advisor

Hi @Jason Williams,

Thank you so much for the detailed explanation of your setup — I truly appreciate the clarity you've provided. You're definitely on the right track with configuring Google Workspace as a SAML Identity Provider for Microsoft Entra to support group-based RBAC.

ACS URL and Entity ID

Based on your scenario, if you're using a standard Microsoft Entra ID tenant, the correct values are:

ACS URL: https://login.microsoftonline.com/<tenant-id>/saml2
Entity ID: https://sts.windows.net/<tenant-id>/

These are the most commonly used values for standard Entra tenants. The other combinations you’ve tried are typically used in Microsoft Entra External ID (CIAM) scenarios, which involve different endpoints and policies.

Additional Considerations

For detailed guidance, please refer to Microsoft’s official documentation: Add a SAML/WS-Fed identity provider - Microsoft Entra External ID

It’s important to verify whether the SAML2 endpoint can consume SAMLP responses from Google. Compatibility issues here could cause the login to fail.

A common issue is not updating the SAML metadata on either the Google or Microsoft side. Please ensure both ends have the latest metadata and configuration.

Next Steps

To assist you further, could you please provide:

The exact error message or behavior you're seeing during the login attempt?
Whether the issue occurs on the Google side or the Microsoft Entra side?

This will help us pinpoint the root cause more effectively.

If the Issue Persists

If the issue continues after verifying the metadata and configuration, I recommend raising a support ticket with Microsoft so we can investigate the backend logs and SAML processing in more detail.

Please let me know if this helps or if you have any further questions — I’m here to support you every step of the way!

If this response has been helpful, I’d be incredibly grateful if you could mark it as the accepted answer and give it a thumbs up. Your feedback means a lot and helps us continue delivering great support experiences.

Warm regards,

Bob

Bob 240 Reputation points Independent Advisor

2025-05-22T11:02:37.91+00:00
Hi @Jason Williams,

Thanks for the update with the error! (AADSTS90121: Invalid empty request)

Based on the error and your setup, it looks like the key issue is that your domain rainfocus.com is not yet federated in Microsoft Entra. Even though it’s verified, Entra won’t redirect users to Google for login unless the domain is explicitly set to use federated authentication.

To fix this, you’ll need to run a PowerShell command to federate the domain. Here’s a sample command (you’ll need to fill in your actual IdP ID and certificate):

Set-MsolDomainAuthentication -DomainName rainfocus.com -FederationBrandName "Google" -Authentication Federated -PassiveLogOnUri "https://accounts.google.com/o/saml2/idp?idpid=" -IssuerUri "https://accounts.google.com/o/saml2?idpid=" -SigningCertificate "" -LogOffUri "https://www.google.com/accounts/Logout" -PreferredAuthenticationProtocol SAMLP

Once this is done:

Microsoft Entra will redirect users from rainfocus.com to Google for login.

Your IdP-initiated and SP-initiated flows should both start working as expected.

Let me know if you’d like help generating the exact command or checking your certificate format!

If my answer has resolved your query, please do click "Accept Answer" and "Yes" as this can be beneficial to other community members who has the same question topic as you. It would be greatly appreciated and helpful to others.

Best regards,

Bob
Jason Williams 30 Reputation points

2025-05-23T20:19:41.6466667+00:00

This was really close, but not quite so I'll add some notes.

We weren't able to use the MSOnline module. It appears to be legacy and none of the tools we tried could use it. Tested with both Powershell: 5.1.26100.3624 & Powershell: 7.5.1 as well as the Azure Cloud Powershell and the powershell that runs on mac.

This was the command used:

$domainId = "rainfocus.com" $issuerUri = "https://accounts.google.com/o/saml2?idpid=(google-id)" $passiveSignInUri = "https://accounts.google.com/o/saml2/idp?idpid=(google-id)" $displayName = "Google Federation for $domainId" $copiedCertString = "<<cert>>" $signingCertificate = $copiedCertString -replace "r", "" -replace "n", "" -replace " ", ""

New-MgDomainFederationConfiguration -DomainId $domainId -DisplayName $displayName -IssuerUri $issuerUri -ActiveSignInUri $passiveSignInUri -PassiveSignInUri $passiveSignInUri -SigningCertificate $signingCertificate -PreferredAuthenticationProtocol "saml" ` -FederatedIdpMfaBehavior "enforceMfaByFederatedIdp"

Also, this is the permission scope that ended up working. I don't think I need all of them but I haven't looked into what specific ones were right in this case:

Connect-MgGraph -Scopes "Domain.ReadWrite.All", "Policy.ReadWrite.Authorization", "Directory.ReadWrite.All", "User.Read.All", "Directory.AccessAsUser.All"

Answer 2

Hello @Jason Williams

To correctly configure SAML SSO from Google Workspace to Microsoft Entra ID, use the following settings in Google:

ACS URL: https://login.microsoftonline.com/<tenantID>/saml2
Entity ID: https://sts.windows.net/<tenantID>/

Replace <tenantID> with your actual Microsoft Entra (Azure AD) tenant ID.

On the Microsoft side, navigate to Entra ID > External Identities > All Identity Providers > Custom, and configure the following:

Issuer URI: https://accounts.google.com/o/saml2?idpid=<IdP ID>
Passive Authentication Endpoint: https://accounts.google.com/o/saml2/idp?idpid=<IdP ID>

Be sure to replace <IdP ID> with your Google IdP ID.

Upload the certificate from Google and ensure user attributes—such as email—are mapped correctly.

This setup enables Google to act as the Identity Provider (IdP), passing user information and group membership to Entra ID for role-based access control (RBAC).

If you encounter any issues, please let me know—we can connect offline to troubleshoot further.

Share via

Trouble setting up Google Workspace SAML as an IdP for authentication

1 additional answer

Your answer