This article shows you how to set up single sign-on between your Active Directory environment and your Cloud Identity or Google Workspace account by using Microsoft Active Directory Federation Services (AD FS) and SAML Federation.
The article assumes that you understand how Active Directory identity management can be extended to Google Cloud and have already configured user provisioning. The article also assumes that you have a working AD FS 4.0 server that is running on Windows Server 2016 or a later version of Windows Server.
To follow this guide, knowledge of Active Directory Domain Services and AD FS is required. You also need a user in Cloud Identity or Google Workspace that has super-admin privileges and a user in Active Directory that has administrative access to your AD FS server.
Objectives
- Configure your AD FS server so that Cloud Identity or Google Workspace can use it as an identity provider.
- Create a claims issuance policy that matches identities between Active Directory and Cloud Identity or Google Workspace.
- Configure your Cloud Identity or Google Workspace account so that it delegates authentication to AD FS.
Costs
If you're using the free edition of Cloud Identity, following this article will not use any billable components of Google Cloud.
Before you begin
- Verify that your AD FS server runs Windows Server 2016 or later. While you can also configure single sign-on by using previous versions of Windows Server and AD FS, the necessary configuration steps might be different from what this article describes.
- Make sure you understand how Active Directory identity management can be extended to Google Cloud.
- Configure user provisioning between Active Directory and Cloud Identity or Google Workspace.
- Consider setting up AD FS in a server farm configuration in order to avoid it becoming a single point of failure. After you've enabled single sign-on, the availability of AD FS determines whether users can log in to the Google Cloud console.
Understanding single sign-on
By using Google Cloud Directory Sync, you've already automated the creation and maintenance of users and tied their lifecycle to the users in Active Directory.
Although GCDS provisions user account details, it doesn't synchronize passwords. Whenever a user needs to authenticate in Google Cloud, the authentication must be delegated back to Active Directory, which is done by using AD FS and the Security Assertion Markup Language (SAML) protocol. This setup ensures that only Active Directory has access to user credentials and is enforcing any existing policies or multi-factor authentication (MFA) mechanisms. Moreover, it establishes a single sign-on experience between your on-premises environment and Google.
For more details on single sign-on, see Single sign-on
Create a SAML profile
To configure single sign-on with AD FS, you first create a SAML profile in your Cloud Identity or Google Workspace account. The SAML profile contains the settings related to your AD FS instance, including its URL and signing certificate.
You later assign the SAML profile to certain groups or organizational units.
To create a new SAML profile in your Cloud Identity or Google Workspace account, do the following:
In the Admin Console, go to SSO with third-party IdP.
Click Third-party SSO profiles > Add SAML profile.
On the SAML SSO profile page, enter the following settings:
- Name:
AD FS
IDP entity ID:
https://ADFS/adfs/services/trust
Sign-in page URL:
https://ADFS/adfs/ls/
Sign-out page URL:
https://ADFS/adfs/ls/?wa=wsignout1.0
Change password URL:
https://ADFS/adfs/portal/updatepassword/
In all URLs, replace
ADFS
with the fully qualified domain name of your AD FS server.Don't upload a verification certificate yet.
- Name:
Click Save.
The SAML SSO profile page that appears contains two URLs:
- Entity ID
- ACS URL
You need these URLs in the next section when you configure AD FS.
Configure AD FS
You configure your AD FS server by creating a relying party trust.
Creating the relying party trust
Create a new relying party trust:
- Connect to your AD FS server and open the AD FS Management MMC snap-in.
- Select AD FS > Relying Party Trusts.
- On the Actions pane, click Add relying party trust.
- On the Welcome page of the wizard, select Claims aware, and click Start.
- On the Select data source page, select Enter data about the relying party manually, and click Next.
- On the Specify display name page, enter a name such as
Google Cloud
and click Next. - On the Configure certificate page, click Next.
On the Configure URL page, select Enable support for the SAML 2.0 WebSSO protocol, and enter the ACS URL from your SAML profile. Then click Next.
On the Configure identifiers page, add the Entity ID from your SAML profile.
Then click Next.
On the Choose access control policy page, choose an appropriate access policy and click Next.
On the Ready to Add Trust page, review your settings, and then click Next.
On the final page, clear the Configure claims issuance policy checkbox and close the wizard.
In the list of relying party trusts, you see a new entry.
Configuring the logout URL
When you're enabling users to use single sign-on across multiple applications, it's important to allow them to sign out across multiple applications:
- Open the relying party trust that you just created.
- Select the Endpoints tab.
Click Add SAML and configure the following settings:
- Endpoint type: SAML Logout
- Binding: POST
Trusted URL:
https://ADFS/adfs/ls/?wa=wsignout1.0
Replace
ADFS
with the fully qualified domain name of your AD FS server.
Click OK.
Click OK to close the dialog.
Configuring the claims mapping
After AD FS has authenticated a user, it issues a SAML assertion.
This assertion serves as proof that authentication has
successfully taken place. The assertion must identify who has been
authenticated, which is the purpose of the
NameID
claim.
To enable Google Sign-In to associate the NameID
with a user, the NameID
must contain the primary email address of that user. Depending on how you are
mapping users
between Active Directory and Cloud Identity or Google Workspace,
the NameID
must contain the UPN or the email address from the Active Directory
user, with domain substitutions applied as necessary.
UPN
- In the list of relying party trusts, select the trust that you just created and click Edit claim issuance policy.
- Click Add rule
- On the Choose rule type page of the Add transform claim rule wizard, select Transform an incoming claim, then click Next.
On the Configure claim rule page, configure the following settings:
- Claim rule name:
Name Identifier
- Incoming claim type: UPN
- Outgoing claim type: Name ID
- Outgoing name ID format: Email
- Claim rule name:
Select Pass through all claim values and click Finish.
Click OK to close the claim issuance policy dialog.
UPN: domain substitution
- In the list of relying party trusts, select the trust that you just created and click Edit claim issuance policy.
- Click Add rule
- On the Choose rule type page of the Add transform claim rule wizard, select Transform an incoming claim, then click Next.
On the Configure claim rule page, configure the following settings:
- Claim rule name:
Name Identifier
- Incoming claim type: UPN
- Outgoing claim type: Name ID
- Outgoing name ID format: Email
- Claim rule name:
Select Replace incoming claim e-mail suffix with a new e-mail suffix and configure the following setting:
- New e-mail suffix: A domain name used by your Cloud Identity or Google Workspace account.
Click Finish, and then click OK.
- In the list of relying party trusts, select the trust that you just created and click Edit claim issuance policy.
- Add a rule to lookup the email address:
- In the dialog, click Add Rule.
- Select Send LDAP Attributes as Claims, and click Next.
- On the next page, apply the following settings:
- Claim rule name:
Email address
- Attribute Store: Active Directory
- Claim rule name:
- Add a row to the list of LDAP attribute mappings:
- LDAP Attribute: E-Mail-Addresses
- Outgoing Claim Type: E-Mail-Address
- Click Finish.
Add another rule to set the
NameID
:- Click Add rule
- On the Choose rule type page of the Add transform claim rule wizard, select Transform an incoming claim, then click Next.
On the Configure claim rule page, configure the following settings:
- Claim rule name:
Name Identifier
- Incoming claim type: E-Mail-Address
- Outgoing claim type: Name ID
- Outgoing name ID format: Email
- Claim rule name:
Select Pass through all claim values and click Finish.
Click OK to close the claim issuance policy dialog.
Email: domain substitution
- In the list of relying party trusts, select the trust that you just created and click Edit claim issuance policy.
- Add a rule to lookup the email address:
- In the dialog, click Add Rule.
- Select Send LDAP Attributes as Claims, and click Next.
- On the next page, apply the following settings:
- Claim rule name:
Email address
- Attribute Store: Active Directory
- Claim rule name:
- Add a row to the list of LDAP attribute mappings:
- LDAP Attribute: E-Mail-Addresses
- Outgoing Claim Type: E-Mail-Address
- Click Finish.
Add another rule to set the
NameID
value:- Click Add rule
- On the Choose rule type page of the Add transform claim rule wizard, select Transform an incoming claim, then click Next.
On the Configure claim rule page, configure the following settings:
- Claim rule name:
Name Identifier
- Incoming claim type: E-Mail-Address
- Outgoing claim type: Name ID
- Outgoing name ID format: Email
- Claim rule name:
Select Replace incoming claim e-mail suffix with a new e-mail suffix and configure the following setting:
- New e-mail suffix: A domain name used by your Cloud Identity or Google Workspace account.
Click Finish, and then click OK.single-sign-on
Exporting the AD FS token-signing certificate
After AD FS authenticates a user, it passes a SAML assertion to Cloud Identity or Google Workspace. To enable Cloud Identity and Google Workspace to verify the integrity and authenticity of that assertion, AD FS signs the assertion with a special token-signing key and provides a certificate that enables Cloud Identity or Google Workspace to check the signature.
Export the signing certificate from AD FS by doing the following:
- In the AD FS Management console, click Service > Certificates.
- Right-click the certificate that is listed under Token-signing, and click View Certificate.
- Select the Details tab.
- Click Copy to File to open the Certificate Export Wizard.
- On the Welcome to the certificate export wizard, click Next.
- On the Export private key page, select No, do not export the private key.
- On the Export file format page, select Base-64 encoded X.509 (.CER) and click Next.
- On the File to export page, provide a local filename, and click Next.
- Click Finish to close the dialog.
- Copy the exported certificate to your local computer.
Complete the SAML profile
You use the signing certificate to complete the configuration of your SAML profile:
Return to the Admin Console and go to Security > Authentication > SSO with third-party IdP.
Open the
AD FS
SAML profile that you created earlier.Click the IDP details section to edit the settings.
Click Upload certificate and pick the token signing certificate that you exported from AD FS.
Click Save.
Your SAML profile is complete, but you still need to assign it.
Assign the SAML profile
Select the users for which the new SAML profile should apply:
In the Admin Console, on the SSO with third-party IDPs page, click Manage SSO profile assignments > Manage.
In the left pane, select the group or organizational unit for which you want to apply the SSO profile. To apply the profile to all users, select the root organizational unit.
In the right pane, select Another SSO profile.
In the menu, select the
AD FS - SAML
SSO profile that you created earlier.Click Save.
Repeat the steps to assign the SAML profile to another group or organizational unit.
Test single sign-on
You've completed the single sign-on configuration. You can check whether SSO works as intended.
Choose an Active Directory user that satisfies the following criteria:
- The user has been provisioned to Cloud Identity or Google Workspace.
The Cloud Identity user does not have super-admin privileges.
User accounts that have super-admin privileges must always sign in by using Google credentials, so they aren't suitable for testing single sign-on.
Open a new browser window and go to https://console.cloud.google.com/.
On the Google Sign-In page that appears, enter the email address of the user, and click Next. If you use domain substitution, you must apply the substitution to the email address.
You are redirected to AD FS. If you configured AD FS to use forms-based authentication, you see the sign-in page.
Enter your UPN and password for the Active Directory user, and click Sign in.
After successful authentication, AD FS redirects you back to the Google Cloud console. Because this is the first login for this user, you're asked to accept the Google terms of service and privacy policy.
If you agree to the terms, click Accept.
You are redirected to the Google Cloud console, which asks you to confirm preferences and accept the Google Cloud terms of service. If you agree to the terms, click Yes, and then click Agree and Continue.
At the upper left, click the avatar icon, and click Sign out.
You are redirected to an AD FS page confirming that you've been successfully signed out.
If you have trouble signing in, you might find additional information in the AD FS admin log.
Keep in mind that users that have super-admin privileges are exempted from single sign-on, so you can still use the Admin console to verify or change settings.
Optional: Configure redirects for domain-specific service URLs
When you link to the Google Cloud console from internal portals or documents, you can improve the user experience by using domain-specific service URLs.
Unlike regular service URLs such as https://console.cloud.google.com/
,
domain specific-service URLs include the name of your primary domain. Unauthenticated
users that click a link to a domain specific-service URL are immediately redirected
to AD FS instead of being shown a Google sign-in page first.
Examples for domain-specific service URLs include the following:
Google service | URL | Logo |
---|---|---|
Google Cloud console | https://www.google.com/a/DOMAIN/ServiceLogin?continue=https://console.cloud.google.com |
|
Google Docs | https://docs.google.com/a/DOMAIN |
|
Google Sheets | https://www.google.com/a/DOMAIN/ServiceLogin?continue=https://sheets.google.com
|
|
Google Sites | https://www.google.com/a/DOMAIN/ServiceLogin?continue=https://slides.google.com |
|
Google Drive | https://drive.google.com/a/DOMAIN |
|
Gmail | https://mail.google.com/a/DOMAIN |
|
Google Groups | https://www.google.com/a/DOMAIN/ServiceLogin?continue=https://groups.google.com |
|
Google Keep | https://www.google.com/a/DOMAIN/ServiceLogin?continue=https://keep.google.com
|
|
Looker Studio | https://www.google.com/a/DOMAIN/ServiceLogin?continue=https://lookerstudio.google.com |
|
YouTube | https://www.google.com/a/DOMAIN/ServiceLogin?continue=https://www.youtube.com/
|
To configure domain-specific service URLs so that they redirect to AD FS, do the following:
In the Admin Console, on the SSO with third-party IDPs page, click Domain-specific service URLs > Edit.
Set Automatically redirect users to the third-party IdP in the following SSO profile to enabled.
Set SSO profile to
AD FS
.Click Save.
Optional: Configure login challenges
Google sign-in might ask users for additional verification when they sign in from unknown devices or when their sign-in attempt looks suspicious for other reasons. These login challenges help to improve security, and we recommend that you leave login challenges enabled.
If you find that login challenges cause too much inconvenience, you can disable login challenges by doing the following:
- In the Admin Console, go to Security > Authentication > Login challenges.
- In the left pane, select an organizational unit for which you want to disable login challenges. To disable login challenges for all users, select the root organizational unit.
- Under Settings for users signing in using other SSO profiles, select Don't ask users for additional verifications from Google.
- Click Save.
Clean up
If you don't intend to keep single sign-on enabled for your organization, follow these steps to disable single sign-on in Cloud Identity or Google Workspace:
In the Admin Console and go to Manage SSO profile assignments.
For each profile assignment, do the following:
- Open the profile.
- If you see an Inherit button, click Inherit. If you don't see an Inherit button, select None and click Save.
Return to the SSO with third-party IDPs page and open the AD FS SAML profile.
Click Delete.
To clean up configuration in AD FS, follow these steps:
- Connect to your AD FS server and open the AD FS MMC snap-in.
- In the menu at left, right-click the Relying Party Trusts folder.
- In the list of relying party trusts, right-click the relying party trust you created, and click Delete.
- Confirm the deletion by clicking Yes.
What's next
- Learn more about federating Google Cloud with Active Directory.
- Learn about Azure Active Directory B2B user provisioning and single sign-on.
- Read about best practices for planning accounts and organizations and best practices for federating Google Cloud with an external identity provider.
- Acquaint yourself with our best practices for managing super-admin users..