Introduction
This article will show how to configure a federation (Single Sign-On) between Active Directory and Cloud Identity or Google Workspace.
Benefits
- Employees can use their Active Directory identity to sign in to various Google services, including Google Cloud, Google Marketing Platform, and Google Ads.
- Organisations can continue to use Microsoft Active Directory as an authoritative source for identities—this way, they can create, manage, and delete identities for their employees.
- Organisations can leverage the existing Active Directory Federation Service (ADFS) as the source for authentication (Identity Provider) and to provide single sign-on features for applications.
- With this streamlined authentication process, users can enjoy a more efficient, secure, and seamless experience when working across both on-premise and Google Cloud systems.
Practical Example
Imagine a company called myforest1 has a presence across the United States. The primary office is located in New York, and their Active Directory has been integrated with an Entra ID Tenant via Entra Connect Sync. Employees use the domain name employee.myforest1.com to access Microsoft 365 services. They also have an Active Directory Federation Service (ADFS) platform to provide Single-Sign services to Microsoft 365 applications.
New Business Requirement:
Recently, businesses have decided to provide Google services to individuals who work as contractors or part-time. Such services include Gmail, Google Drive, Google Docs, Google Sheets, Google Slides, Google Meet, Google Forms, and related offerings.
Below are the detailed business requirements.
- Contractors should use the domain name contractor.myforest1.com, whereas part-time employees would get pte.myforest1.com.
- Google Workspace applications should be protected with Microsoft Entra Multi-Factor Authentication in addition to the on-premises applications.
- Active Directory must be used as the Central Identity Provider and ADFS as the Single Sign-On provider for all applications, including Google Workspace.
- Users’ accounts in Google Cloud must be managed through Active Directory.
Preparing the Environment
Here below are the steps followed to achieve the business requirement.
To demonstrate , I have already built an Active Directory Hybrid environment with ADFS. Please check my article to learn how to configure Active Directory Federation Service.
Implementation Steps
Step 1: Add and verify domains in Microsoft Entra ID
To begin with, we need to register the domains contractor.myforest1.com and pte.myforest1.com in Microsoft Entra ID to utilise Multifactor Authentication service. You can find a link where you will get instructions on adding a domain to Entra ID.
Step 2: Add and verify domains in Google Workspace
The domains contractor.myforest1.com and pte.myforest1.comneeds to be added in Cloud Identity account. By doing this, users in these domains can use Google services. Please check my article to learn how to add a domain to the Cloud identity account.
Step 3: Activate Gmail service
With a “Cloud Identity Free” subscription, you cannot activate email service for custom domains. For this reason, I subscribed to “Google Workspace Business Starter”. Just click “Activate Gmail” and follow the steps.
Record the MX value generated by the wizard and add the MX record to your Domain Registrar.
After that, verify the MX record value.
Finally, press the “Active Gmail” button.
Step 4: Sync user accounts from AD to Google Cloud
Next, we need to configure GCDS to provision contractor and part-time users’ accounts from myforest1.com, AD to Google Workspace or Cloud identity. If you want to learn more about it, please check my article.
Step 5: Assign license
We have provisioned user accounts to Cloud identity; now assign license to contractors and part-time employees.
If you want, you can subscribe to Google services by signing in to https://admin.google.com, then Navigate to Billing–>Subscriptions–>Add or upgrade a subscription.
Step 6: Create a relying party trust for Google Cloud
Follow the instructions given below to create a relying party trust for Google Cloud. To do that Login to primary ADFS server, open the AD FS Management MMC snap-in. Navigate to ADFS->Relying Party Trusts->Actions->click Add relying party trust and fill the form as mentioned in the below table.
| Steps | Action |
|---|---|
| Welcome | Claim Aware |
| Select Data Store | Enter data about the relying party manually |
| Specify display name | Myforest1-Google Cloud |
| Configure Certificate | Click next |
| Configure URL | Select Enable support for the SAML 2.0 WebSSO protocol and enter https://www.google.com/a/myforest1.com/acs Note: Assertion Consumer Service URL, tells the IdP where to redirect an authenticated user after sign-in. |
| Configure identifiers | Enter google.com/a/myforest1.com and google.com |
| Choose access control policy | Permit everyone |
| Ready to Add Trust | Click Next |
| Finish | Clear “Configure claims issuance policy” |
Step 7: Configure the logout URL
We need to configure logout URL for SSO enabled users. This will allow them to sign-out across multiple applications. Follow the instructions to set the logout URL.
Login to primary ADFS server, open the AD FS Management MMC snap-in. Right the Relying Party Trusts we created->Properties->Endpoints->Add SAML and fill the given form and close the dialog.
| Endpoint type | SAML Logout |
| Binding | POST |
| Trusted URL | https://sts.myforest1.com/adfs/ls/?wa=wsignout1.0 |
Step 8: Configure the claims mapping
Create a a rule to lookup the email address
We need to create a rule to lookup the email address according to the user mapping rule.
To do that, login to primary ADFS server, open the AD FS Management MMC snap-in.Right the Relying Party Trusts we created->Click Edit claim issuance policy->Add Rule->Select Send LDAP Attributes as Claims->Next->Claim rule name: Email address->Attribute Store: Active Directory->LDAP attribute mappings->LDAP Attribute: E-Mail-Addresses->Outgoing Claim Type: E-Mail-Address-Finish
Create a rule to set the NameID
Click Add rule->Choose rule type-> Select Transform an incoming claim->Claim rule name: Name Identifier->Incoming claim type: E-Mail-Address->Outgoing claim type: Name ID->Outgoing name ID format: Email->Select Pass through all claim values->Click Finish
Step 9: Export the AD FS token-signing certificate
After AD FS authenticates a user, it passes a SAML assertion to Cloud Identity or Google Workspace. To enable Cloud Identity and Google Workspace to verify the integrity and authenticity of that assertion, AD FS signs the assertion with a special token-signing key and provides a certificate that enables Cloud Identity or Google Workspace to check the signature.
Follow the instructions to export the token-signing certificate.
Login to primary ADFS server, open the AD FS Management MMC snap-in->Service > Certificates->Right Click Token-signing, and click View Certificate->Details->Copy to File->Welcome to the certificate export wizard->Next->Export private key->No, do not export the private key->Export file format ->Base-64 encoded X.509 (.CER)-> Next->File to export->provide a local filename, and click Next->Finish.
Step 10: Configure single sign-on in Cloud Identity
Once the AD FS configuration is complete, you are ready to establish single sign-on for your Cloud Identity or Google Workspace account.
Sign in to Google Workspace Admin Console ->Navigate to SSO with third-party IdP-> Fill the form as shown in the below figure. ADFS URLs could be different based on your ADFS configuration. In our case,
Sign-in page URL: https://sts.myforest1.com/adfs/ls/
Sign-out page URL: https://sts.myforest1.com/adfs/ls/?wa=wsignout1.0
Change password URL: https://sts.myforest1.com/adfs/portal/updatepassword/
Then, Upload the Token-Signing certificate->Save
The below figure shows the SSO profile configuration in my scenario. On your end, it could be different based on your ADFS configuration.
Step 11: Testing single sign-on
We have finished setting up the single sign-on feature in both AD FS and Cloud Identity, or Google Workspace. To test the single sign-on feature, follow these steps.
- Open a new browser window and go to https://gmail.com
- Enter the email address of either the contractor or Part-Time employee user account and click Next.
- You are redirected to AD FS. You now see the sign-in page if you configured AD FS to use forms-based authentication.
- Enter the user UPN and password for the Active Directory user, and click Sign in.
- AD FS redirects you to the Google Identity Platform after successful authentication. Because this is the first login for this user, you’re asked to accept the Google terms of service and privacy policy.
- At the upper left, click the avatar icon and click Sign out.
- You are then redirected to an AD FS page confirming that you’ve been successfully signed out.
I made a video to show the user experience, please watch.
In the next article, we will discuss and enable Microsoft Entra Multi-Factor Authentication for Google Cloud applications.
Thank you for taking the time to read my article.
