The following are some notes on the different types of federation that can be configured between Azure AD and GSuite.
Scenario 1 – Configure GSuite SAML IDP Federation into Azure AD
Configure your corporate GSuite as your primary IDP and configure SAML SSO to Azure AD\Office 365 (Gsuite users are autoprovisioned into AAD, or mapped via Immutable ID) and then your users can sign in to your Azure AD tenant with GSuite credentials. Your Gsuite domain name is added as a federated domain in your AAD tenant. Your user management is primarily done from Gsuite.
- Service Provider: AAD
- Identity Provider: GSuite
- User Provisioning: Users are created in GSuite, and then provisioned into AAD
- GSuite Doc: Auto provision your Gsuite users into AAD: https://support.google.com/a/answer/7365072
- Gsuite Doc: Configure Gsuite SAML SSO to AAD: https://support.google.com/a/answer/6363817
- Walkthrough Blog on Setup Steps: https://www.goldyarora.com/g-suite-to-office-365-sso/
- YouTube Walkthrough: https://www.youtube.com/watch?v=C46djGWiaDA
- This scenario supports GSuite IDP initiated SAML SSO to Azure AD. You must however provision user accounts into Azure AD from GSuite with matching immutable IDs
- This scenario is for enabling SSO for your own corporate Gsutie users to your own Azure AD tenant, it is NOT for inviting external GSuite users to your Azure AD tenant as guests.
Scenario 2 – Configure Azure AD SAML SSO to GSuite
Use Azure AD as your primary IDP and configure SAML SSO to allow your Azure AD users to SSO login to GSuite with Azure AD credentials. Azure AD SCIM Provisioning, configures GSuite users. Your Azure AD domain is added as a federated domain in your GSuite workspace.
- Service Provider: GSuite
- Identity Provider: AAD
- User Provisioning: Users are created in AAD, and then provisioned into GSuite via SCIM
- Azure AD Docs: https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial
- YouTube Walkthrough: https://www.youtube.com/watch?v=mv0eHNcgALc
- Gsuite Docs:
Scenario 3 – Federation with SAML/WS-Fed identity providers for guest users
If you need to share or collaborate content or applications in your own Azure AD tenant with external users, you would need to invite these users using Azure AD B2B. If the user’s you need to invite do not have their own Azure AD tenant, but do use GSuite as their identity provider. You can configure External Identities SAML Federation with their GSuite domain. When you invite their GSuite email accounts they will now be able to accept your guest invitations and authenticate to your AAD tenant as Guest users using their GSuite credentials.
- Service Provider: AAD
- Identity Provider: Gsuite for initial Guest authentication
- User Provisioning: Your partner\customer has users in GSuite already provisioned. You invite these users into AAD via B2B guest invitations. They authenticate via GSuite and sign into your AAD tenant as a Guest
- AAD Docs: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/direct-federation
- Blog Walkthrough https://www.jasonfritts.me/2020/07/16/configuring-azure-ad-b2b-direct-federation-with-gsuite/
- This scenario does not support GSuite IDP initiated SAML SSO to Azure AD. You must invite the external GSuite IDP users to your Azure AD tenant as B2B Guests and then those users must access your Azure AD tenant using a tenanted URL ie. https://portal.azure.com/mytenant.com after which they will be redirected to GSuite to sign in with GSuite credentials and then signed into your Azure AD tenant as Guest users.